CVE-2012-10040
Openfiler v2.x NetworkCard Command Execution
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Openfiler v2.x contains a command injection vulnerability in the system.html page. The device parameter is used to instantiate a NetworkCard object, whose constructor in network.inc calls exec() with unsanitized input. An authenticated attacker can exploit this to execute arbitrary commands as the openfiler user. Due to misconfigured sudoers, the openfiler user can escalate privileges to root via sudo /bin/bash without a password.
| CWE | CWE-78 |
| Vendor | openfiler |
| Product | openfiler |
| Published | Aug 11, 2025 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for openfiler openfiler
Be the first to know when new unknown vulnerabilities affecting openfiler openfiler are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Openfiler / Openfiler
2.0
References
raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/openfiler_networkcard_exec.rb exploit-db.com: https://www.exploit-db.com/exploits/21191 openfiler.com: https://www.openfiler.com/ sourceforge.net: https://sourceforge.net/projects/openfiler/ web.archive.org: http://web.archive.org/web/20210922060411/https://itsecuritysolutions.org/2012-09-06-Openfiler-v2.x-multiple-vulnerabilities/
Credits
bcoles