External risk intelligence

LimeSurvey Deserialization Code Execution Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-56422

LimeSurvey is a web-based application designed to host surveys, which are typically deployed as public-facing web services to collect data from external respondents. As an internet-accessible web application, it is commonly exposed to the public internet by design in standard deployment patterns.

Deserialization

Limesurvey

6.14.3 and earlier

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in LimeSurvey, a widely used web-based survey platform, which could allow unauthorized individuals to execute malicious code on the server. This issue affects systems that have not been updated to the latest version, potentially exposing them to significant security risks. The main concern is confirming relevance and exposure within the organization's environment.

  • Remote code execution on survey servers.
  • External access to survey data is a primary risk.
  • Confirm relevance and exposure of this survey platform.

Attack Path

How an attacker could exploit the issue

An attacker could exploit a deserialization vulnerability in LimeSurvey by sending a specially crafted request to the server, leading to arbitrary code execution. This requires no prior authentication or special user interaction, allowing for remote exploitation.

  • Unauthenticated network access.
  • Sending a malicious serialized object.
  • Server-side code execution.

Live Threat

Current exploitation, exposure, and threat context

A deserialization vulnerability in LimeSurvey could allow a remote attacker to execute arbitrary code on the server. This could occur when the application processes untrusted serialized data.

  • Server-side code execution.
  • Processing untrusted serialized data.
  • Compromised server integrity.

Operational Fix

Recommended remediation, mitigation, and detection steps

Real-world remediation for this deserialization vulnerability in LimeSurvey likely involves collaboration between application owners and infrastructure teams. The first practical step is to identify all instances of the affected LimeSurvey version across the organization, determine their exposure to the internet or untrusted networks, and ascertain their business criticality. Once these factors are understood, the accountable owner can be identified to plan remediation, which may involve vendor coordination if the product is externally managed or dedicated maintenance windows if self-hosted.

  • Application and infrastructure teams own remediation.
  • Verify internet exposure and business criticality first.
  • Plan risk-based remediation with accountable owner.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is LimeSurvey?

LimeSurvey is a popular open-source, web-based platform used to create, distribute, and analyze online surveys. Organizations typically host it on their own servers to gather data from respondents. Because its primary purpose is collecting input from the public, it is frequently configured as an internet-facing application, making the availability and security of the underlying server infrastructure critical to data collection operations.

What is the vulnerability in CVE-2025-56422?

This CVE involves a deserialization weakness, classified as CWE-502. In simple terms, the application incorrectly handles incoming data objects, trusting them too much during the reconstruction process. Because of this, an attacker can send specially crafted data that the server mistakenly processes as legitimate instructions, allowing them to execute arbitrary code directly on the server's operating system.

How does an attacker trigger this bug?

An attacker triggers this vulnerability by sending a malicious serialized object to the affected application over the network. It does not require any specific user interaction, such as clicking a link, nor does it require prior authentication. Notably, simply viewing a standard, legitimate survey page or interacting with normal survey forms does not trigger this flaw; the exploit requires sending specifically structured, malicious data designed to bypass input processing logic.

Do I need to worry about this if my server is internal?

Halo Surface Signal identifies LimeSurvey as a web application typically deployed to face the public internet to collect respondent data, which significantly increases risk for such systems. If your instance is strictly internal and unreachable from the internet, the immediate threat level is lower. However, you should still evaluate if internal network segments are secure enough to prevent an attacker from reaching the survey server.

When should I start the update process?

You should prioritize this immediately if you identify instances running versions prior to 6.15.0+250623. First, work with your team to locate all running instances of LimeSurvey and confirm their current versions. Once identified, document which servers are internet-facing versus internal to help prioritize patching. Coordinate with your application and infrastructure teams to schedule maintenance, as updating the software is the primary way to remove the vulnerability.

References