Command Injection Vulnerability in KaiYuanTong ECT Platform Affects Remote Functionality
CVE-2025-0328

6.9MEDIUM

Key Information:

Vendor

Kaiyuantong

Status
Ect Platform
Vendor
CVE Published:
9 January 2025

Badges

👾 Exploit Exists

What is CVE-2025-0328?

A command injection vulnerability exists within the KaiYuanTong ECT Platform, particularly in the /public/server/runCode.php file used for handling HTTP POST requests. An attacker can manipulate the 'code' argument, potentially allowing unauthorized commands to be executed on the server. This issue can be exploited remotely, exposing the system to significant risks. Despite prior notification to the vendor, no response has been received regarding the problem.

Affected Version(s)

ECT Platform 2.0

References

https://vuldb.com/?id.290792
vdb-entrytechnical-description
https://vuldb.com/?ctiid.290792
signaturepermissions-required
https://vuldb.com/?submit.470601
third-party-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

glzjin (VulDB User)
.