CVE-2014-125116

CRITICAL

HybridAuth 2.0.9-2.2.2 - Unauthenticated Remote Code Execution via install.php Config Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2014-125116. PoCs published by Metasploit, @u0x, Pichaya Morimoto, bcoles, including Metasploit module exploits/unix/webapp/hybridauth_install_php_exec.

AI-analyzed exploit summary This Metasploit module exploits a PHP code execution vulnerability in HybridAuth versions 2.0.9 to 2.2.2 by leveraging an unremoved install.php file to overwrite the config.php file with malicious code. The exploit writes a backdoor, executes the payload, and attempts to clean up by removing the backdoor.

Description

A remote code execution vulnerability exists in HybridAuth versions 2.0.9 through 2.2.2 due to insecure use of the install.php installation script. The script remains accessible after deployment and fails to sanitize input before writing to the application’s config.php file. An unauthenticated attacker can inject arbitrary PHP code into config.php, which is later executed when the file is loaded. This allows attackers to achieve remote code execution on the server. Exploitation of this issue will overwrite the existing configuration, rendering the application non-functional.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/34390

This Metasploit module exploits a PHP code execution vulnerability in HybridAuth versions 2.0.9 to 2.2.2 by leveraging an unremoved install.php file to overwrite the config.php file with malicious code. The exploit writes a backdoor, executes the payload, and attempts to clean up by removing the backdoor.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: HybridAuth versions 2.0.9 to 2.2.2
No auth needed
Prerequisites: install.php file must be accessible · config.php must be writable
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by @u0x · textwebappsphp
https://www.exploit-db.com/exploits/34273

This exploit demonstrates a PHP code injection vulnerability in HybridAuth <= 2.2.2 via insufficient sanitization in the `install.php` script, allowing arbitrary command execution through crafted POST requests.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: HybridAuth <= 2.2.2
No auth needed
Prerequisites: Access to the target's `install.php` endpoint · Default installation leaving `install.php` untouched
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC MANUAL
by Pichaya Morimoto, bcoles · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb

This Metasploit module exploits a PHP code execution vulnerability in HybridAuth by leveraging an unremoved install.php file to overwrite the config.php file with malicious code. It includes checks for vulnerability, payload delivery, and cleanup steps.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: HybridAuth versions 2.0.9 to 2.2.2
No auth needed
Prerequisites: install.php file must be accessible · config.php must be writable
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v4 9.3
EPSS 0.0149
EPSS Percentile 70.7%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-306 CWE-434
Status published
Products (1)
HybridAuth/HybridAuth 2.0.9 - 2.2.2
Published Jul 25, 2025
Tracked Since Feb 18, 2026