CVE-2013-5014

EXPLOITED

Symantec Endpoint Protection Manager < 11.0.7405.1424 and 12.1 < 12.1.4023.4080 - XML External Entity Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2013-5014 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including Metasploit, Chris Graham, Stefan Viehbock, Chris Graham, including a Metasploit module exploits/windows/antivirus/symantec_endpoint_manager_rce.

AI-analyzed exploit summary This Metasploit module exploits CVE-2013-5014 and CVE-2013-5015 in Symantec Endpoint Protection Manager by leveraging XXE and SQL injection to achieve remote command execution with SYSTEM privileges via xp_cmdshell.

Description

The management console in Symantec Endpoint Protection Manager (SEPM) 11.0 before 11.0.7405.1424 and 12.1 before 12.1.4023.4080, and Symantec Protection Center Small Business Edition 12.x before 12.1.4023.4080, allows remote attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/31917

This Metasploit module exploits CVE-2013-5014 and CVE-2013-5015 in Symantec Endpoint Protection Manager by leveraging XXE and SQL injection to achieve remote command execution with SYSTEM privileges via xp_cmdshell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Symantec Endpoint Protection Manager 11.0, 12.0, 12.1
No auth needed
Prerequisites: Network access to port 9090 · xp_cmdshell enabled in the target database
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Chris Graham · pythonremotewindows
https://www.exploit-db.com/exploits/31853

This exploit leverages an XXE injection in Symantec Endpoint Protection Manager to trigger a SQL injection flaw, allowing remote command execution via the xp_cmdshell stored procedure in the embedded SQL Anywhere database.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Symantec Endpoint Protection Manager 11.0, 12.0, 12.1
No auth needed
Prerequisites: Network access to the target SEPM server · Default or embedded database configuration
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Stefan Viehbock, Chris Graham · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/antivirus/symantec_endpoint_manager_rce.rb

This Metasploit module exploits CVE-2013-5014 by chaining XXE and SQL injection vulnerabilities in Symantec Endpoint Protection Manager to achieve remote command execution with SYSTEM privileges via xp_cmdshell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Symantec Endpoint Protection Manager 11.0, 12.0, 12.1
No auth needed
Prerequisites: Network access to port 9090 · Target running vulnerable Symantec Endpoint Protection Manager
devstral-2 · analyzed Apr 24, 2026 Full analysis →

References (5)

Core 5

Scores

EPSS 0.8620
EPSS Percentile 99.4%

Details

VulnCheck KEV 2014-07-11
Status published
Products (6)
symantec/endpoint_protection_manager 11.0
symantec/endpoint_protection_manager 12.1.0
symantec/endpoint_protection_manager 12.1.1
symantec/endpoint_protection_manager 12.1.2
symantec/endpoint_protection_manager 12.1.3
symantec/protection_center 12.0
Published Feb 14, 2014
Tracked Since Feb 18, 2026