CVE-2025-60938

Name of the Vulnerable Software and Affected Versions Emoncms version 11.7.3

Description Emoncms version 11.7.3 contains a remote code execution issue in the firmware upload functionality. Authenticated users can execute arbitrary commands on the system. This is due to inadequate validation of user-supplied input, specifically the filename, port, baud rate, core, and autoreset parameters. The vulnerability is present in the /admin/upload-custom-firmware API endpoint.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the /admin/upload-custom-firmware API endpoint.