PT-2025-32553 · Openfiler · Openfiler
Published
2025-08-11
·
Updated
2025-08-11
·
CVE-2012-10040
CVSS v4.0
9.4
Critical
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
Openfiler versions 2.x
Description:
Openfiler v2.x contains a command injection issue in the
system.html page. The device parameter is used to create a NetworkCard object, and its constructor in network.inc calls exec() with unsanitized input. An authenticated attacker can exploit this to execute arbitrary commands as the openfiler user. Due to incorrect sudoers configuration, the openfiler user can escalate privileges to root using sudo /bin/bash without a password.Recommendations:
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openfiler