Command Injection Vulnerability in KaiYuanTong ECT Platform Affects Remote Functionality
CVE-2025-0328
Key Information:
- Vendor
- Kaiyuantong
- Status
- Ect Platform
- Vendor
- CVE Published:
- 9 January 2025
Badges
Summary
A command injection vulnerability exists within the KaiYuanTong ECT Platform, particularly in the /public/server/runCode.php file used for handling HTTP POST requests. An attacker can manipulate the 'code' argument, potentially allowing unauthorized commands to be executed on the server. This issue can be exploited remotely, exposing the system to significant risks. Despite prior notification to the vendor, no response has been received regarding the problem.
Affected Version(s)
ECT Platform 2.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
EPSS Score
7% chance of being exploited in the next 30 days.
CVSS V4
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved