CVE-2014-125123

CRITICAL EXPLOITED

Kloxo < 6.1.12 - Unauthenticated SQL Injection via Login-Name Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2014-125123 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Metasploit, Unknown, juan vazquez, including a Metasploit module exploits/linux/http/kloxo_sqli.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated SQL injection vulnerability in Kloxo to retrieve the admin password, then leverages the Command Center function for remote code execution. It includes full exploit chain logic, from SQLi-based password extraction to authenticated RCE via multipart form data.

Description

An unauthenticated SQL injection vulnerability exists in the Kloxo web hosting control panel (developed by LXCenter) prior to version 6.1.12. The flaw resides in the login-name parameter passed to lbin/webcommand.php, which fails to properly sanitize input, allowing an attacker to extract the administrator’s password from the backend database. After recovering valid credentials, the attacker can authenticate to the Kloxo control panel and leverage the Command Center feature (display.php) to execute arbitrary operating system commands as root on the underlying host system. This vulnerability was reported to be exploited in the wild in January 2014.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremoteunix
https://www.exploit-db.com/exploits/31577

This Metasploit module exploits an unauthenticated SQL injection vulnerability in Kloxo to retrieve the admin password, then leverages the Command Center function for remote code execution. It includes full exploit chain logic, from SQLi-based password extraction to authenticated RCE via multipart form data.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kloxo (CentOS)
No auth needed
Prerequisites: Network access to Kloxo web interface (port 7778) · Vulnerable Kloxo installation
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC MANUAL
by Unknown, juan vazquez · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/kloxo_sqli.rb

This Metasploit module exploits an unauthenticated SQL injection (CVE-2014-125123) in Kloxo to retrieve the admin password, then abuses the Command Center function for remote code execution. It includes brute-forcing techniques to extract the password and execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Sqli | Rce
Complexity
Moderate
Reliability
Reliable
Target: Kloxo (version unspecified, likely older versions)
No auth needed
Prerequisites: Network access to Kloxo web interface (port 7778 by default) · SQL injection vulnerability in webcommand.php
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v4 10.0
EPSS 0.0067
EPSS Percentile 46.8%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2025-07-31
CWE
CWE-89
Status published
Products (1)
LXCenter/Kloxo < 6.1.12
Published Jul 31, 2025
Tracked Since Feb 18, 2026