CVE-2018-25114
CRITICAL EXPLOITED NUCLEIosCommerce Online Merchant <2.3.4.1 - RCE
Title source: llmDescription
A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication in the installer workflow. By default, the /install/ directory remains accessible after installation. An unauthenticated attacker can invoke install_4.php, submit crafted POST data, and inject arbitrary PHP code into the configure.php file. When the application later includes this file, the injected payload is executed, resulting in full server-side compromise.
Exploits (2)
exploitdb
WORKING POC
VERIFIED
by Simon Scannell · pythonwebappsphp
https://www.exploit-db.com/exploits/44374
metasploit
WORKING POC
EXCELLENT
by Simon Scannell, Daniel Teixeira · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/oscommerce_installer_unauth_code_exec.rb
Nuclei Templates (1)
osCommerce 2.3.4.1 - Remote Code Execution
CRITICALVERIFIEDby Suman_Kar
References (4)
Scores
CVSS v4
9.3
EPSS
0.7299
EPSS Percentile
98.8%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Details
VulnCheck KEV
2025-11-05
CWE
CWE-434
CWE-94
Status
published
Products (1)
osCommerce/Online Merchant
2.3.4.1
Published
Jul 23, 2025
Tracked Since
Feb 18, 2026