CVE-2012-10046
CRITICALESVA_2057 - Command Injection
Title source: llmDescription
The E-Mail Security Virtual Appliance (ESVA) (tested on version ESVA_2057) contains an unauthenticated command injection vulnerability in the learn-msg.cgi script. The CGI handler fails to sanitize user-supplied input passed via the id parameter, allowing attackers to inject arbitrary shell commands. Exploitation requires no authentication and results in full command execution on the underlying system.
Exploits (3)
exploitdb
WORKING POC
VERIFIED
by Metasploit · rubywebappscgi
https://www.exploit-db.com/exploits/20712
metasploit
WORKING POC
EXCELLENT
by iJoo, juan vazquez · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/esva_exec.rb
References (5)
Scores
CVSS v4
9.3
EPSS
0.5295
EPSS Percentile
98.0%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Details
CWE
CWE-78
Status
published
Products (1)
ESVA-Project/E-Mail Security Virtual Appliance
ESVA_2057
Published
Aug 08, 2025
Tracked Since
Feb 18, 2026