{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/pimcore/admin-ui-classic-bundle/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["pimcore/pimcore","pimcore/admin-ui-classic-bundle"],"_cs_severities":["high"],"_cs_tags":["deserialization","remote code execution","php"],"_cs_type":"advisory","_cs_vendors":["Pimcore"],"content_html":"\u003cp\u003ePimcore, a content management framework, contains a critical vulnerability (CVE-2026-45162) due to unsafe PHP deserialization in version 11 and earlier. The vulnerability stems from the use of \u003ccode\u003eunserialize()\u003c/code\u003e in multiple locations without the \u003ccode\u003eallowed_classes\u003c/code\u003e restriction. This oversight allows attackers to inject arbitrary PHP objects if they can control the serialized data. The affected locations include \u003ccode\u003elib/Tool/Authentication.php\u003c/code\u003e, \u003ccode\u003emodels/Site/Dao.php\u003c/code\u003e, \u003ccode\u003emodels/DataObject/ClassDefinition/CustomLayout/Dao.php\u003c/code\u003e, \u003ccode\u003emodels/Tool/TmpStore/Dao.php\u003c/code\u003e, \u003ccode\u003emodels/Asset/WebDAV/Service.php\u003c/code\u003e, and \u003ccode\u003eadmin-ui-classic-bundle/src/Helper/Dashboard.php\u003c/code\u003e. The data being deserialized is sourced from database columns and filesystem files. Exploitation requires an attacker to be able to write to these data sources, which can be achieved through SQL injection or file write vulnerabilities. Successful exploitation leads to remote code execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a writable data source, such as the \u003ccode\u003etmp_store\u003c/code\u003e table or the \u003ccode\u003ewebdav-delete.dat\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe attacker gains write access to the chosen data source, for example via SQL injection against the \u003ccode\u003etmp_store\u003c/code\u003e table or a file write vulnerability against \u003ccode\u003ewebdav-delete.dat\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious serialized PHP object, containing a gadget chain designed for remote code execution (e.g., using Monolog\u0026rsquo;s BufferHandler).\u003c/li\u003e\n\u003cli\u003eThe attacker writes the malicious serialized data to the targeted data source (e.g., inserting a row into \u003ccode\u003etmp_store\u003c/code\u003e with the serialized payload, or writing to \u003ccode\u003ewebdav-delete.dat\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eA user action or scheduled task triggers the vulnerable \u003ccode\u003eunserialize()\u003c/code\u003e call in one of the affected files (e.g., accessing a page that reads from \u003ccode\u003eTmpStore\u003c/code\u003e, or triggering a WebDAV operation that uses the delete log).\u003c/li\u003e\n\u003cli\u003eThe PHP \u003ccode\u003eunserialize()\u003c/code\u003e function processes the attacker-controlled serialized data without \u003ccode\u003eallowed_classes\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected PHP object is instantiated, and its methods are invoked according to the gadget chain.\u003c/li\u003e\n\u003cli\u003eThe gadget chain executes arbitrary PHP code with the privileges of the web server, resulting in remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary PHP code on the Pimcore server. This can lead to complete compromise of the application, including data theft, modification, or deletion. The impact is amplified by the availability of public exploit techniques and gadget chains. Given Pimcore\u0026rsquo;s use in content management and e-commerce, a successful attack could have significant financial and reputational consequences.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch or upgrade to a version of Pimcore that addresses CVE-2026-45162.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune them for your environment to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to database access (e.g., SQL injection attempts) that could be used to inject malicious serialized data into database tables.\u003c/li\u003e\n\u003cli\u003eImplement strict file permission controls on the web server to prevent unauthorized writing to the filesystem, mitigating the risk of injecting serialized data into files like \u003ccode\u003ewebdav-delete.dat\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T16:58:21Z","date_published":"2026-05-27T16:58:21Z","id":"https://feed.craftedsignal.io/briefs/2026-05-pimcore-deserialization/","summary":"Pimcore v11 and earlier is vulnerable to unsafe PHP deserialization in multiple locations due to missing `allowed_classes` restrictions when calling `unserialize()` on data from database columns and filesystem files; an attacker with control over serialized data sources (e.g., via SQL injection or file write vulnerabilities) can inject PHP gadget chains, leading to remote code execution.","title":"Pimcore Unsafe PHP Deserialization Vulnerability (CVE-2026-45162)","url":"https://feed.craftedsignal.io/briefs/2026-05-pimcore-deserialization/"}],"language":"en","title":"CraftedSignal Threat Feed — Pimcore/Admin-Ui-Classic-Bundle","version":"https://jsonfeed.org/version/1.1"}