CVE-2018-25114
published 2025-07-23CVE-2018-25114: A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication…
PriorityP182critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.82%
84.8th percentile
A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication in the installer workflow. By default, the /install/ directory remains accessible after installation. An unauthenticated attacker can invoke install_4.php, submit crafted POST data, and inject arbitrary PHP code into the configure.php file. When the application later includes this file, the injected payload is executed, resulting in full server-side compromise.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oscommerce | online_merchant | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandDIR_FS_DOCUMENT_ROOT=.%2F&DB_DATABASE=%27%29%3Bpassthru%28%27cat+%2Fetc%2Fpasswd%27%29%3B%2F%2A↗
- →Detect exploitation attempts by monitoring POST requests to /install/install.php?step=4 with DB_DATABASE parameter containing PHP injection payloads (e.g., passthru, system, exec calls encoded in the POST body). ↗
- →Alert on GET requests to /install/includes/configure.php after a POST to /install/install.php?step=4, as this two-step sequence indicates the attacker is triggering injected PHP code execution. ↗
- →Monitor for the presence of an accessible /install/ directory post-installation; its existence is a prerequisite for exploitation. ↗
- →Inspect POST body for URL-encoded PHP function calls (passthru, system, exec) within the DB_DATABASE field targeting /install/install.php. ↗
- ·The vulnerability is only exploitable if the /install/ directory remains accessible after installation; removing it fully mitigates the attack surface. ↗
- ·The Nuclei template uses a two-request sequence (POST to inject, GET to trigger); detection rules should correlate both requests from the same source IP within a short time window. ↗
CVSS provenance
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7hjh-7hp4-wr4c: A remote code execution vulnerability exists within osCommerce Online Merchant version 2
ghsa_unreviewed·2025-07-23
CVE-2018-25114 [CRITICAL] CWE-94 GHSA-7hjh-7hp4-wr4c: A remote code execution vulnerability exists within osCommerce Online Merchant version 2
A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication in the installer workflow. By default, the /install/ directory remains accessible after installation. An unauthenticated attacker can invoke install_4.php, submit crafted POST data, and inject arbitrary PHP code into the configure.php file. When the application later includes this file, the injected payload is executed, resulting in full server-side compromise.
VulnCheck
oscommerce online_merchant Improper Control of Generation of Code ('Code Injection')
vulncheck·2018·CVSS 9.3
CVE-2018-25114 [CRITICAL] oscommerce online_merchant Improper Control of Generation of Code ('Code Injection')
oscommerce online_merchant Improper Control of Generation of Code ('Code Injection')
A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication in the installer workflow. By default, the /install/ directory remains accessible after installation. An unauthenticated attacker can invoke install_4.php, submit crafted POST data, and inject arbitrary PHP code into the configure.php file. When the application later includes this file, the injected payload is executed, resulting in full server-side compromise.
Affected: oscommerce online_merchant
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavaila
No detection rules found.
Metasploit
osCommerce Installer Unauthenticated Code Execution
metasploit
osCommerce Installer Unauthenticated Code Execution
osCommerce Installer Unauthenticated Code Execution
If the /install/ directory was not removed, it is possible for an unauthenticated attacker to run the "install_4.php" script, which will create the configuration file for the installation. This allows the attacker to inject PHP code into the configuration file and execute it.
Nuclei
osCommerce 2.3.4.1 - Remote Code Execution
nuclei·CVSS 9.3
CVE-2018-25114 [CRITICAL] osCommerce 2.3.4.1 - Remote Code Execution
osCommerce 2.3.4.1 - Remote Code Execution
osCommerce Online Merchant 2.3.4.1 contains a remote code execution caused by insecure default configuration and missing authentication in the installer workflow, letting unauthenticated attackers execute arbitrary PHP code via install_4.php, exploit requires accessible /install/ directory after installation.
Template:
id: CVE-2018-25114
info:
name: osCommerce 2.3.4.1 - Remote Code Execution
author: Suman_Kar
severity: critical
description: |
osCommerce Online Merchant 2.3.4.1 contains a remote code execution caused by insecure default configuration and missing authentication in the installer workflow, letting unauthenticated attackers execute arbitrary PHP code via install_4.php, exploit requires accessible /install/ directory after installat
No writeups or analysis indexed.
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/oscommerce_installer_unauth_code_exec.rbhttps://www.exploit-db.com/exploits/44374https://www.oscommerce.com/https://www.vulncheck.com/advisories/oscommerce-installer-unauth-config-file-injection-php-code-execution
2025-07-23
Published
Exploited in the wild