$ research-item --score 35 --exploit none

Deserialization of Untrusted Data vulnerability in EMV Creatify allows Object…

Research page generated from configured evidence sources. Treat this as an analyst workbench: facts are sourced, gaps are labelled, and low-confidence chatter is separated from confirmed evidence.

Executive judgement

Operational lane: monitor
Priority score: 35
Confidence: low
Exploit status: none — No public exploitation signal captured by the configured pipeline yet.
Urgent publishable: no
CISA KEV: No CISA KEV match captured in configured source data at generation time.
Published/observed: 2026-06-17
EPSS score: not available

What happened

Deserialization of Untrusted Data vulnerability in EMV Creatify allows Object Injection.

This issue affects Creatify: from n/a through 1.5.

Why it matters

The item was promoted because the pipeline observed: priority score 35, exploit status none, confidence low.
It has a CVE identifier, so it can be tracked across NVD/CVE.org/vendor/exploit sources.
No PoC signal was detected by the current pipeline unless shown elsewhere on this page.

Evidence collected

NVD: nvd

Exploitation and PoC status

Current automated assessment: No public exploitation signal captured by the configured pipeline yet.
Public exploit/PoC: No PoC source captured yet by the configured pipeline.
Exploited in the wild: Not confirmed by configured sources at generation time.
Ransomware association: No ransomware association captured at generation time.

Publication / validation flags

no_exploitation_signal

Dark web / low-confidence chatter

No matching OTX/URLhaus/MalwareBazaar item found in configured low-confidence feeds at generation time.
This is not proof of absence. It means the current automated sources did not capture relevant underground or malware-feed chatter.

Defender actions

Identify Creatify plugin versions 1.5 and earlier in environment
Review application logs for deserialization activity
Apply available updates per vendor advisory

Analyst note

Evidence indicates no active threats or PoCs tied to CVE-2025-60236. Defenders should treat this as routine hygiene rather than urgent response. Focus remains on confirming presence of affected versions before any action.

Defender / Sentinel hunting queries

MDE exposure: devices with CVE-2025-60236

Find devices where Microsoft Defender Vulnerability Management reports the CVE.

DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2025-60236"
| project DeviceName, OSPlatform, SoftwareVendor, SoftwareName, SoftwareVersion, VulnerabilitySeverityLevel, RecommendedSecurityUpdate, LastSeenTime
| order by VulnerabilitySeverityLevel desc, LastSeenTime desc

Exposure validation ideas

Search asset inventory for affected vendor/product names and any CVE reference.
Check internet-facing exposure through approved tools only: Shodan/Censys/GreyNoise links below are research starting points, not proof of exposure.
Prioritise management interfaces, edge devices, identity/control-plane systems, and OT/ICS assets where relevant.

Detection / hunting ideas

Review vendor logs for authentication failures, privilege changes, unexpected admin activity, and anomalous management-plane access.
Search SIEM/EDR telemetry for product-specific process names, network services, and newly published indicators from primary sources.
Monitor for scanner traffic or nuclei/metasploit module references once public exploit tooling appears.

Research links

Open questions

Is there a primary vendor advisory with exact affected versions and fixed versions?
Has CISA KEV, Shadowserver, GreyNoise, or a trusted vendor confirmed exploitation?
Are there credible PoC repositories or only secondary reporting mentioning PoC?
Is there underground/forum/leak-site discussion, or only public reporting?

Generated: 2026-06-17T15:39:20+00:00

← back to today