CVE-2013-5015

EXPLOITED

Symantec Endpoint Protection Manager 11.0-11.0.7405.1424 and 12.1-12.1.4023.4080 - Authenticated SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2013-5015 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including Metasploit, Chris Graham, Stefan Viehbock, Chris Graham, including a Metasploit module exploits/windows/antivirus/symantec_endpoint_manager_rce.

AI-analyzed exploit summary This Metasploit module exploits CVE-2013-5014 and CVE-2013-5015 in Symantec Endpoint Protection Manager by leveraging XXE and SQL injection to achieve remote command execution with SYSTEM privileges via xp_cmdshell.

Description

SQL injection vulnerability in the management console in Symantec Endpoint Protection Manager (SEPM) 11.0 before 11.0.7405.1424 and 12.1 before 12.1.4023.4080, and Symantec Protection Center Small Business Edition 12.x before 12.1.4023.4080, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/31917

This Metasploit module exploits CVE-2013-5014 and CVE-2013-5015 in Symantec Endpoint Protection Manager by leveraging XXE and SQL injection to achieve remote command execution with SYSTEM privileges via xp_cmdshell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Symantec Endpoint Protection Manager 11.0, 12.0, 12.1
No auth needed
Prerequisites: Network access to port 9090 · xp_cmdshell enabled in the target database
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Chris Graham · pythonremotewindows
https://www.exploit-db.com/exploits/31853

This exploit leverages an XXE injection in Symantec Endpoint Protection Manager to trigger a SQL injection flaw, allowing remote command execution via the xp_cmdshell stored procedure in the embedded SQL Anywhere database.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Symantec Endpoint Protection Manager 11.0, 12.0, 12.1
No auth needed
Prerequisites: Network access to the target SEPM server · Default or embedded database configuration
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Stefan Viehbock, Chris Graham · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/antivirus/symantec_endpoint_manager_rce.rb

This Metasploit module exploits XXE and SQL injection vulnerabilities in Symantec Endpoint Protection Manager to achieve remote command execution with SYSTEM privileges via xp_cmdshell. It uses a crafted XML payload to trigger the SQL injection and execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Symantec Endpoint Protection Manager versions 11.0, 12.0, and 12.1
No auth needed
Prerequisites: Network access to the target's ConsoleServlet endpoint on port 9090 · xp_cmdshell enabled in the target's database instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/31853
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/31917
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/65467
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/103306

Scores

EPSS 0.6454
EPSS Percentile 98.5%

Details

VulnCheck KEV 2014-07-11
CWE
CWE-89
Status published
Products (6)
symantec/endpoint_protection_manager 11.0
symantec/endpoint_protection_manager 12.1.0
symantec/endpoint_protection_manager 12.1.1
symantec/endpoint_protection_manager 12.1.2
symantec/endpoint_protection_manager 12.1.3
symantec/protection_center 12.0
Published Feb 14, 2014
Tracked Since Feb 18, 2026