CVE-2025-48389: Freescout Deserialization RCE Vulnerability

CVE-2025-48389 Overview

CVE-2025-48389 is an insecure deserialization vulnerability [CWE-502] affecting FreeScout, a self-hosted help desk and shared mailbox application. Versions prior to 1.8.178 fail to validate data passed to the Option::set() function. An attacker with high privileges can submit a serialized PHP object as an option value. When the application later retrieves the option using Option::get(), PHP deserializes the attacker-controlled payload and executes arbitrary code.

The issue was patched in FreeScout version 1.8.178 by replacing serialize() with json_encode() for array storage.

Critical Impact

Authenticated attackers can achieve arbitrary code execution on the host running FreeScout, compromising confidentiality and integrity of help desk data.

Affected Products

• FreeScout versions prior to 1.8.178
• Self-hosted FreeScout help desk deployments
• FreeScout shared mailbox installations using the affected Option model

Discovery Timeline

• 2025-05-29 - CVE-2025-48389 published to the National Vulnerability Database (NVD)
• 2025-07-11 - Last updated in NVD database

Technical Details for CVE-2025-48389

Vulnerability Analysis

FreeScout stores configuration options through the Option model. The maybeSerialize() helper inside app/Option.php calls PHP's serialize() function whenever an array or object is supplied to Option::set(). The matching Option::get() method later passes stored values through maybeUnserialize(), which invokes unserialize() on the raw string.

Because the input to set() is not validated, an attacker who can write a setting value can supply a crafted serialized object. When the stored value is retrieved, PHP reconstructs the object and triggers any magic methods such as __wakeup() or __destruct() reachable through gadget chains in the application or its Laravel dependencies. This results in arbitrary code execution in the FreeScout process context.

Root Cause

The root cause is the use of PHP serialize()/unserialize() for persisting option values that originate from user-influenced inputs. PHP deserialization is unsafe when applied to attacker-controlled data because it allows instantiation of arbitrary classes and invocation of their magic methods.

Attack Vector

The vulnerability is reachable over the network through the FreeScout administrative interface. Exploitation requires authenticated access with privileges to modify options. Once a malicious serialized payload is stored, the next read of that option triggers code execution.

      */
     public static function maybeSerialize($data)
     {
-        if (is_array($data) || is_object($data)) {
-            return serialize($data);
+        // if (is_array($data) || is_object($data)) {
+        //     return serialize($data);
+        // }
+        // We don't use serialize() function as it is not safe.
+        if (is_array($data)) {
+            return json_encode($data);
         }
 
         return $data;

Source: FreeScout patch commit f7548a7. The fix removes serialize() entirely and uses json_encode() for arrays, eliminating the object instantiation path during retrieval.

Detection Methods for CVE-2025-48389

Indicators of Compromise

• Option values in the FreeScout database that begin with PHP serialization markers such as O:, a:, or s: followed by class or array metadata.
• Unexpected PHP processes spawned by the FreeScout web user, including shell utilities or outbound network connections from the application host.
• Web server access logs showing administrative requests to option-management endpoints from unusual source addresses or at unusual times.

Detection Strategies

• Inspect the options table for stored values matching serialized PHP object signatures and review their provenance.
• Audit FreeScout administrator accounts and recent privilege changes to identify accounts that may have been used to plant a payload.
• Correlate FreeScout application logs with host-level process telemetry to detect deserialization-triggered child processes.

Monitoring Recommendations

• Monitor outbound connections from the FreeScout host for traffic to unknown destinations following administrative activity.
• Alert on creation or modification of files inside the FreeScout web root, particularly PHP files outside the deployment baseline.
• Track failed and successful logins to FreeScout admin accounts and flag anomalous geographic or temporal patterns.

How to Mitigate CVE-2025-48389

Immediate Actions Required

• Upgrade FreeScout to version 1.8.178 or later, which removes the unsafe serialize() call in Option::set().
• Rotate credentials for all FreeScout administrator accounts and review the user list for unauthorized additions.
• Inspect the options table and remove any stored values containing serialized PHP objects that cannot be attributed to legitimate operations.

Patch Information

The vendor fix is published in commit f7548a7076a0b6e109001069d6be223fbd96c61e and shipped in FreeScout 1.8.178. Details are available in the FreeScout GitHub Security Advisory GHSA-jmpv-8q3h-2m8v and the FreeScout patch commit.

Workarounds

• Restrict access to the FreeScout administrative interface using network controls such as VPN or IP allowlisting until the patch is applied.
• Limit administrative role assignments to the minimum number of trusted operators while the host remains unpatched.
• Place the FreeScout application behind a web application firewall and block requests containing PHP serialization markers in option parameters.

# Upgrade FreeScout to the patched release
cd /var/www/freescout
git fetch --tags
git checkout 1.8.178
php artisan freescout:after-app-update
php artisan config:cache