CVE-2018-25114

CRITICAL EXPLOITED NUCLEI

osCommerce Online Merchant <2.3.4.1 - RCE

Title source: llm

Exploitation Summary

CVE-2018-25114 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Simon Scannell, Simon Scannell, Daniel Teixeira, including a Metasploit module exploits/multi/http/oscommerce_installer_unauth_code_exec. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit targets osCommerce 2.3.4.1 by injecting PHP code into the configuration file via an unauthenticated reinstallation process. It leverages the lack of authentication checks in the install.php script to execute arbitrary commands.

Description

A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication in the installer workflow. By default, the /install/ directory remains accessible after installation. An unauthenticated attacker can invoke install_4.php, submit crafted POST data, and inject arbitrary PHP code into the configure.php file. When the application later includes this file, the injected payload is executed, resulting in full server-side compromise.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Simon Scannell · pythonwebappsphp

https://www.exploit-db.com/exploits/44374

View Code ZIP pw:eip

This exploit targets osCommerce 2.3.4.1 by injecting PHP code into the configuration file via an unauthenticated reinstallation process. It leverages the lack of authentication checks in the install.php script to execute arbitrary commands.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: osCommerce 2.3.4.1

No auth needed

Prerequisites: The /install/ directory must not have been removed post-installation

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Simon Scannell, Daniel Teixeira · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/oscommerce_installer_unauth_code_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated code execution vulnerability in osCommerce by injecting PHP code into the configuration file via the installer script. It leverages the presence of the /install/ directory to execute arbitrary payloads.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: osCommerce 2.3.4.1

No auth needed

Prerequisites: Presence of the /install/ directory · Writable configure.php file

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

osCommerce 2.3.4.1 - Remote Code Execution

CRITICALVERIFIEDby Suman_Kar

References (4)

Core 4

Core References

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/44374

Various Sources product

https://www.oscommerce.com/

Various Sources exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/oscommerce_installer_unauth_code_exec.rb

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/oscommerce-installer-unauth-config-file-injection-php-code-execution

Scores

CVSS v4 9.3

EPSS 0.0351

EPSS Percentile 87.7%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2025-11-05

CWE

CWE-434 CWE-94

Status published

Products (1)

osCommerce/Online Merchant 2.3.4.1

Published Jul 23, 2025

Tracked Since Feb 18, 2026