cbcvebase.
CVE-2014-125113
published 2025-08-05

CVE-2014-125113: An unrestricted file upload vulnerability exists in Dell (acquired by Quest) KACE K1000 System Management Appliance version 5.0 - 5.3, 5.4 prior to 5.4.76849…

PriorityP266critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
0.97%
57.6th percentile
An unrestricted file upload vulnerability exists in Dell (acquired by Quest) KACE K1000 System Management Appliance version 5.0 - 5.3, 5.4 prior to 5.4.76849, and 5.5 prior to 5.5.90547 in the download_agent.php endpoint. An attacker can upload arbitrary PHP files to a temporary web-accessible directory, which are later executed through inclusion in backend code that loads files under attacker-controlled paths.

Affected

3 ranges
VendorProductVersion rangeFixed in
dellquest_kace_k1000_systems_management_appliance5.0 – 5.3
dellquest_kace_k1000_systems_management_appliance>= 5.4 < 5.4.768495.4.76849
dellquest_kace_k1000_systems_management_appliance>= 5.5 < 5.5.905475.5.90547

Detection & IOCsextracted from sources · hover to see the quote

path/download_agent.php
processKSudoClient::RunCommandWait
  • Monitor HTTP POST requests to the /download_agent.php endpoint for multipart file upload activity, especially uploads of files with .php extensions.
  • Alert on PHP file execution originating from temporary web-accessible directories on the KACE K1000 appliance, which may indicate a successfully uploaded and included webshell.
  • Detect privilege escalation attempts via KSudoClient::RunCommandWait following initial www-user code execution on KACE K1000 appliances, as this is the known post-exploitation path to root.
  • Unauthenticated requests to download_agent.php that result in file creation should be treated as high-severity; the exploit requires no authentication.
  • ·The vulnerability affects a specific version range; patched versions (5.4.76849+ and 5.5.90547+) are not affected. Ensure version fingerprinting is used to scope detection rules to vulnerable appliances only.
  • ·The Metasploit module was tested specifically against version 5.3; detection logic validated against this version may need adjustment for 5.0–5.2 and 5.4/5.5 pre-patch builds.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.