CVE-2018-25159
Epross · AVCON6
The Epross AVCON6 systems management platform is susceptible to OGNL injection via the login.action endpoint, allowing unauthenticated attackers to execute arbitrary system commands as root.
Executive summary
The Epross AVCON6 platform contains a critical OGNL injection vulnerability that permits unauthenticated remote code execution with root-level privileges.
Vulnerability
The application fails to validate user-supplied input in the redirect parameter of the login.action endpoint, enabling OGNL expression injection that triggers the instantiation of ProcessBuilder objects.
Business impact
The CVSS score of 9.8 reflects the extreme risk associated with this vulnerability. Because the exploit grants root-level execution, an attacker can gain complete control over the host system, leading to permanent data loss, full system compromise, and the potential for the platform to be used as a pivot point for further network attacks.
Remediation
Immediate Action: Apply the latest security update provided by Epross to patch the vulnerable login.action endpoint.
Proactive Monitoring: Review web server logs for suspicious OGNL payloads within the redirect parameter and monitor system process logs for unauthorized command execution.
Compensating Controls: Deploy a Web Application Firewall (WAF) configured to block requests containing OGNL expression syntax or suspicious redirect parameters.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the ability to achieve root-level code execution without authentication, this vulnerability must be treated as a priority. Ensure all systems are updated and that the management interface is not exposed to the public internet.