cbcvebase.
CVE-2014-125123
published 2025-07-31

CVE-2014-125123: An unauthenticated SQL injection vulnerability exists in the Kloxo web hosting control panel (developed by LXCenter) prior to version 6.1.12. The flaw resides…

PriorityP184critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.67%
47.2th percentile
An unauthenticated SQL injection vulnerability exists in the Kloxo web hosting control panel (developed by LXCenter) prior to version 6.1.12. The flaw resides in the login-name parameter passed to lbin/webcommand.php, which fails to properly sanitize input, allowing an attacker to extract the administrator’s password from the backend database. After recovering valid credentials, the attacker can authenticate to the Kloxo control panel and leverage the Command Center feature (display.php) to execute arbitrary operating system commands as root on the underlying host system. This vulnerability was reported to be exploited in the wild in January 2014.

Affected

1 ranges
VendorProductVersion rangeFixed in
lxcenterkloxo< 6.1.126.1.12

Detection & IOCsextracted from sources · hover to see the quote

pathlbin/webcommand.php
pathdisplay.php
  • Alert on authenticated POST/GET requests to display.php (Command Center) following anomalous login activity, especially those containing OS command syntax, as this is the RCE pivot point post-SQLi credential theft
  • Correlate Kloxo login events with subsequent Command Center usage — the exploit chain first extracts admin credentials via SQLi then authenticates and executes OS commands as root
  • Flag exploitation attempts originating from automated tools (e.g., Metasploit module kloxo_sqli.rb) by inspecting User-Agent strings and request patterns consistent with the module's tree-view server enumeration prior to payload execution
  • ·Exploitation was confirmed in the wild in January 2014; any Kloxo instance prior to version 6.1.12 is vulnerable and should be treated as potentially compromised if exposed to the internet during that period
  • ·The admin password is stored and retrieved in cleartext from the backend database, meaning credential rotation alone is insufficient without patching the SQLi vector

CVSS provenance

nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.