Bitdefender GravityZone Console Hit by Critical PHP Deserialization Vulnerability

A critical-severity vulnerability has been discovered in the Bitdefender GravityZone Console, posing a significant risk to affected systems. The flaw, tracked as CVE-2025-2244 (CVSSv4 9.5), is an insecure PHP deserialization issue.

The vulnerability resides within the sendMailFromRemoteSource method in Emails.php. The Bitdefender GravityZone Console “unsafely uses php unserialize() on user-supplied input without validation“. This lack of validation allows an attacker to craft a malicious serialized payload. Successful exploitation can lead to “PHP object injection, perform a file write, and gain arbitrary command execution on the host system“.

This type of vulnerability is particularly dangerous as it can give attackers a foothold to take complete control of the server.

The vulnerability affects Bitdefender GravityZone Console. Bitdefender has addressed this issue with an automatic update. The updated version, 6.41.2-1, contains the necessary fix.

The advisory credits Nicolas Verdier (@n1nj4sec) for reporting the vulnerability.

Users of Bitdefender GravityZone Console are strongly advised to ensure their systems are updated to version 6.41.2-1 to mitigate the risk posed by this vulnerability.

Related Posts:

• Bitdefender Patches Critical Vulnerabilities in GravityZone and Endpoint Security
• Massive Ad Fraud Campaign Deployed 331 Apps, Resulting in 60 Million Downloads
• Bitdefender Patches Critical Vulnerability in GravityZone Update Server