CVE-2018-25159

Epross · AVCON6

The Epross AVCON6 systems management platform is susceptible to OGNL injection via the login.action endpoint, allowing unauthenticated attackers to execute arbitrary system commands as root.

Executive summary

The Epross AVCON6 platform contains a critical OGNL injection vulnerability that permits unauthenticated remote code execution with root-level privileges.

Vulnerability

The application fails to validate user-supplied input in the redirect parameter of the login.action endpoint, enabling OGNL expression injection that triggers the instantiation of ProcessBuilder objects.

Business impact

The CVSS score of 9.8 reflects the extreme risk associated with this vulnerability. Because the exploit grants root-level execution, an attacker can gain complete control over the host system, leading to permanent data loss, full system compromise, and the potential for the platform to be used as a pivot point for further network attacks.

Remediation

Immediate Action: Apply the latest security update provided by Epross to patch the vulnerable login.action endpoint.

Proactive Monitoring: Review web server logs for suspicious OGNL payloads within the redirect parameter and monitor system process logs for unauthorized command execution.

Compensating Controls: Deploy a Web Application Firewall (WAF) configured to block requests containing OGNL expression syntax or suspicious redirect parameters.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the ability to achieve root-level code execution without authentication, this vulnerability must be treated as a priority. Ensure all systems are updated and that the management interface is not exposed to the public internet.