CVE-2014-125113
published 2025-08-05CVE-2014-125113: An unrestricted file upload vulnerability exists in Dell (acquired by Quest) KACE K1000 System Management Appliance version 5.0 - 5.3, 5.4 prior to 5.4.76849…
PriorityP266critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
0.97%
57.6th percentile
An unrestricted file upload vulnerability exists in Dell (acquired by Quest) KACE K1000 System Management Appliance version 5.0 - 5.3, 5.4 prior to 5.4.76849, and 5.5 prior to 5.5.90547 in the download_agent.php endpoint. An attacker can upload arbitrary PHP files to a temporary web-accessible directory, which are later executed through inclusion in backend code that loads files under attacker-controlled paths.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dell | quest_kace_k1000_systems_management_appliance | 5.0 – 5.3 | — |
| dell | quest_kace_k1000_systems_management_appliance | >= 5.4 < 5.4.76849 | 5.4.76849 |
| dell | quest_kace_k1000_systems_management_appliance | >= 5.5 < 5.5.90547 | 5.5.90547 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to the /download_agent.php endpoint for multipart file upload activity, especially uploads of files with .php extensions. ↗
- →Alert on PHP file execution originating from temporary web-accessible directories on the KACE K1000 appliance, which may indicate a successfully uploaded and included webshell. ↗
- →Detect privilege escalation attempts via KSudoClient::RunCommandWait following initial www-user code execution on KACE K1000 appliances, as this is the known post-exploitation path to root. ↗
- →Unauthenticated requests to download_agent.php that result in file creation should be treated as high-severity; the exploit requires no authentication. ↗
- ·The vulnerability affects a specific version range; patched versions (5.4.76849+ and 5.5.90547+) are not affected. Ensure version fingerprinting is used to scope detection rules to vulnerable appliances only. ↗
- ·The Metasploit module was tested specifically against version 5.3; detection logic validated against this version may need adjustment for 5.0–5.2 and 5.4/5.5 pre-patch builds. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.htmlhttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/http/dell_kace_k1000_upload.rbhttps://www.exploit-db.com/exploits/39693https://www.vulncheck.com/advisories/dell-quest-kace-k1000-unauth-file-upload-rce
2025-08-05
Published