What products are affected by the recently reported Bitdefender vulnerabilities?

The vulnerabilities affect Bitdefender's business malware protection solution, GravityZone. Specifically, both the GravityZone Console used for administration and the GravityZone Update Server are impacted.

What is CVE-2025-2244 and how severe is it?

CVE-2025-2244 is an insecure PHP deserialization issue in GravityZone Console with a CVSS score of 9.5 (Critical). The flaw exists in the sendMailFromRemoteSource method within Emails.php, where the application unsafely uses the PHP unserialize() function on user-supplied input without proper validation. The vulnerability allows attackers to trigger PHP object injection, perform arbitrary file writes and gain command execution on the host system.

What is CVE-2025-2243 and how severe is it?

CVE-2025-2243 is a Server-Side Request Forgery (SSRF) vulnerability in GravityZone Console with a CVSS score of 6.9 (Medium). It allows attackers to bypass content verification mechanisms through manipulated DNS queries with special initial characters when the console is running in relay mode. This can result in the execution of foreign code when linked with other vulnerabilities.

What is CVE-2025-2245 and how severe is it?

CVE-2025-2245 is a Server-Side Request Forgery (SSRF) vulnerability in GravityZone Update Server with a CVSS score of 6.9 (Medium). This flaw affects the HTTP proxy module listening on port 7074. The module relies on a domain allow list to restrict outgoing requests, but hostnames containing a null byte (%00) can disrupt the check, allowing attackers to bypass allow list checks and send requests to arbitrary systems.

Which versions of Bitdefender GravityZone are affected by these vulnerabilities?

Bitdefender GravityZone Console versions prior to 6.41.2-1 and Bitdefender GravityZone Update Server versions prior to 3.5.2.689 are affected by these vulnerabilities.

Has Bitdefender released patches for these vulnerabilities?

Yes, Bitdefender has released patches to address these vulnerabilities. GravityZone Console should be updated to version 6.41.2-1 or newer, and GravityZone Update Server should be updated to version 3.5.2.689 or newer.

What is the risk if these vulnerabilities are not patched?

If left unpatched, these vulnerabilities could allow attackers to gain command execution on host systems, bypass content verification mechanisms, and send requests to arbitrary systems, potentially compromising the security of the entire network protected by Bitdefender GravityZone.

Advisory

Bitdefender reports critical flaw in GravityZone

published: April 7, 2025

Take action: If you are running BitDefender GravityZone, check if the Console and Update server have auto-updated to 6.41.2-1 or newer and 3.5.2.689 or newer respectively. If they havent, force an update.

Learn More

Bitdefender is reporting multiple vulnerabilities affecting their business malware protection solution, GravityZone. These security flaws impact both the GravityZone Console used for administration and the GravityZone Update Server.

Vulnerability summary

CVE-2025-2244 (CVSS score 9.5) - insecure PHP deserialization issue in GravityZone Console. The flaw exists in the sendMailFromRemoteSource method within Emails.php, where the application unsafely uses the PHP unserialize() function on user-supplied input without proper validation. The vulnerability allows attackers to trigger PHP object injection, perform arbitrary file writes and gain command execution on the host system
(CVE-2025-2243, CVSS 6.9) - Server-Side Request Forgery (SSRF) in GravityZone Console. It allows attackers to bypass content verification mechanisms through manipulated DNS queries with special initial characters when the console is running in relay mode. This can result in the execution of foreign code when linked with other vulnerabilities.
(CVE-2025-2245, CVSS 6.9) - SSRF in GravityZone Update Server - This flaw affects the HTTP proxy module listening on port 7074. The module relies on a domain allow list to restrict outgoing requests, but hostnames containing a null byte (%00) can disrupt the check, allowing attackers to bypass allow list checks and send requests to arbitrary systems using manipulated requests in the form of "www.malicious-domain.com%00bitdefender.com".

Affected Products

Bitdefender GravityZone Console (versions prior to 6.41.2-1)
Bitdefender GravityZone Update Server (versions prior to 3.5.2.689)

Bitdefender has released patches to address these vulnerabilities:

GravityZone Console should be updated to version 6.41.2-1 or newer
GravityZone Update Server should be updated to version 3.5.2.689 or newer

According to Bitdefender, these updates are typically applied automatically. However, administrators are advised to verify that their systems have been updated to the patched versions to ensure protection against these vulnerabilities.

Bitdefender reports critical flaw in GravityZone

Read More
VMware addresses critical vulnerabilities in Aria Operations for …
QNAP releases multiple patches, including two high severity
Wibu Systems license management critical but impacts multiple …
Critical authentication bypass and multiple flaws discovered in …
Oracle October Update has patches for over 387 …