SQL Injection Vulnerability in Kloxo Web Hosting Control Panel by LXCenter
CVE-2014-125123

10CRITICAL

Key Information:

Vendor: Lxcenter
Status: Kloxo
Vendor: CVE Published:; 31 July 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2014-125123?

An unauthenticated SQL injection vulnerability is present in the Kloxo web hosting control panel, affecting versions before 6.1.12. This flaw stems from improper input sanitization in the login-name parameter of the lbin/webcommand.php file. By exploiting this vulnerability, attackers can extract sensitive information, such as the administrator's password from the backend database. Once gaining access to the control panel, they can execute arbitrary commands on the host system as root, significantly compromising the server’s security. This issue was noted to be actively exploited in the wild as early as January 2014.

Affected Version(s)

Kloxo * < 6.1.12

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2014-125123 - Proof of Concept

References

https://web.archive.org/web/20140301125222/http://www.web...

https://web.archive.org/web/20141118054734/https://vpsboa...

https://raw.githubusercontent.com/rapid7/metasploit-frame...

exploit

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jul 31, 2025
👾
Exploit known to exist
Jul 31, 2025
Vulnerability published
Jul 31, 2025
Vulnerability Reserved
Jul 30, 2025

Lxcenter

Badges

What is CVE-2014-125123?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline