Home / Vulnerability Intelligence / CVE-2018-25159

CVE-2018-25159 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 11, 2026

Epross AVCON6 - Expression Language Injection

Published: March 11, 2026Updated: March 11, 2026Remote Exploitable

Overview

Epross AVCON6 systems management platform contains an expression language injection caused by OGNL injection in the redirect parameter of login.action, letting unauthenticated attackers execute arbitrary commands with root privileges.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Unauthenticated attackers can execute arbitrary system commands with root privileges, leading to full system compromise.

Mitigation

Update to the latest version with the vulnerability fixed.

References

https://www.vulncheck.com/advisories/epross-avcon-ognl-remote-code-execution-via-loginaction
https://www.vulncheck.com/advisories/epross-avcon6-ognl-remote-code-execution-via-login-action
https://www.exploit-db.com/exploits/47379

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2018-25159
Severity: Critical
CVSS Score: 9.8
Type: expression_language_injection
Status: new

CWE

CWE-1334

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H