CVE-2025-56422

LimeSurvey · LimeSurvey

A deserialization vulnerability in LimeSurvey before v6.15.0+250623 allows a remote, unauthenticated attacker to execute arbitrary code on the server.

Executive summary

LimeSurvey contains a critical deserialization vulnerability that enables remote code execution, posing an immediate threat to server integrity and data confidentiality.

Vulnerability

This is an insecure deserialization vulnerability that allows remote attackers to supply malicious serialized objects. When processed by the application, this results in arbitrary code execution on the underlying server.

Business impact

Remote code execution (RCE) is one of the most severe security risks, granting attackers full control over the host server. A CVSS score of 9.8 reflects the extreme potential for total system compromise, data theft, and the establishment of persistent backdoors within the environment.

Remediation

Immediate Action: Update the LimeSurvey installation to version 6.15.0+250623 or later immediately.

Proactive Monitoring: Review server logs for suspicious process execution, unexpected file modifications, or unauthorized outbound network connections from the web server.

Compensating Controls: If immediate patching is not feasible, restrict external access to the application and implement WAF rules that filter serialized objects in HTTP requests.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the severity of this remote code execution flaw, this update must be treated with the highest urgency. Administrators should verify their current version and apply the update immediately to prevent potential system-wide compromise.