CVE-2015-7901

Infinite Automation Mango Automation <2.6.0-430 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2015-7901. PoCs published by James Fitts.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in Infinite Automation Mango Automation by authenticating as a user and sending a maliciously crafted POST request to execute arbitrary commands via the `testProcessCommand` method.

Description

Infinite Automation Mango Automation 2.5.x and 2.6.x through 2.6.0 build 430 allows remote authenticated users to execute arbitrary OS commands via unspecified vectors.

Exploits (2)

exploitdb WORKING POC VERIFIED
by James Fitts · rubyremotejsp
https://www.exploit-db.com/exploits/42698

This Metasploit module exploits a command injection vulnerability in Infinite Automation Mango Automation by authenticating as a user and sending a maliciously crafted POST request to execute arbitrary commands via the `testProcessCommand` method.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Infinite Automation Mango Automation v2.5.0 - 2.6.0 beta (builds prior to 430)
Auth required
Prerequisites: Valid credentials for the Mango Automation web interface · Network access to the target system on port 8080
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
webappsjsp
https://www.exploit-db.com/exploits/38338

The exploit demonstrates a CSRF-based file upload vulnerability in Mango Automation 2.6.0, allowing arbitrary JSP code execution by uploading a malicious JSP file via the 'graphicalViewsBackgroundUpload' endpoint. It also includes a CSRF exploit for arbitrary command execution and details for SQL injection and debug log exposure.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Mango Automation 2.5.2 and 2.6.0 beta (build 327)
Auth required
Prerequisites: Authenticated session · Access to the target application
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42698/
Patch, Third Party Advisory, US Government Resource x_refsource_misc
https://ics-cert.us-cert.gov/advisories/ICSA-15-300-02

Scores

EPSS 0.0326
EPSS Percentile 86.7%

Details

CWE
CWE-78
Status published
Products (3)
infinite_automation_systems/mango_automation 2.5.0
infinite_automation_systems/mango_automation 2.5.5
infinite_automation_systems/mango_automation 2.6.0
Published Oct 28, 2015
Tracked Since Feb 18, 2026