CVE-2014-125116

CRITICAL

HybridAuth <2.2.2 - RCE

Title source: llm

Description

A remote code execution vulnerability exists in HybridAuth versions 2.0.9 through 2.2.2 due to insecure use of the install.php installation script. The script remains accessible after deployment and fails to sanitize input before writing to the application’s config.php file. An unauthenticated attacker can inject arbitrary PHP code into config.php, which is later executed when the file is loaded. This allows attackers to achieve remote code execution on the server. Exploitation of this issue will overwrite the existing configuration, rendering the application non-functional.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotephp

https://www.exploit-db.com/exploits/34390

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by @u0x · textwebappsphp

https://www.exploit-db.com/exploits/34273

View Code ZIP pw:eip

metasploit WORKING POC MANUAL

by Pichaya Morimoto, bcoles · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb

View Code ZIP pw:eip

References (6)

[Various Sources] https://hybridauth.github.io/

[Various Sources] https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb

[Various Sources] https://vulners.com/metasploit/MSF:EXPLOIT-UNIX-WEBAPP-HYBRIDAUTH_INSTALL_PHP_EXEC-

[Third Party Advisory] https://www.vulncheck.com/advisories/hybridauth-unauth-rce-via-config-injection

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/34273

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/34390

Scores

CVSS v4 9.3

EPSS 0.5445

EPSS Percentile 98.0%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Details

CWE

CWE-306 CWE-434

Status published

Products (1)

HybridAuth/HybridAuth 2.0.9 - 2.2.2

Published Jul 25, 2025

Tracked Since Feb 18, 2026