CVE-2014-125118
eScan 5.5-2 Web Management Console Command Injection
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
A command injection vulnerability exists in the eScan Web Management Console version 5.5-2. The application fails to properly sanitize the 'pass' parameter when processing login requests to login.php, allowing an authenticated attacker with a valid username to inject arbitrary commands via a specially crafted password value. Successful exploitation results in remote code execution. Privilege escalation to root is possible by abusing the runasroot utility with mwconf-level privileges.
| CWE | CWE-78 CWE-306 |
| Vendor | microworld |
| Product | escan web management console |
| Published | Jul 25, 2025 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for microworld escan web management console
Be the first to know when new unknown vulnerabilities affecting microworld escan web management console are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
MicroWorld / eScan Web Management Console
5.5-2
References
exploit-db.com: https://www.exploit-db.com/exploits/32869 raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/antivirus/escan_password_exec.rb vulncheck.com: https://www.vulncheck.com/advisories/escan-web-management-console-command-injection
Credits
Joxean Koret