CVE-2020-25494

CRITICAL EXPLOITED IN THE WILD

Xinuos Openserver - OS Command Injection

Title source: rule

Description

Xinuos (formerly SCO) Openserver v5 and v6 allows attackers to execute arbitrary commands via shell metacharacters in outputform or toclevels parameter to cgi-bin/printbook.

Exploits (1)

exploitdb WORKING POC

by Ramikan · textwebappssco

https://www.exploit-db.com/exploits/49301

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/160635/SCO-Openserver-5.0.7-Command-Injection.html

[Exploit, Third Party Advisory] https://github.com/Ramikan/Vulnerabilities/blob/master/SCO%20Openserver%20OS%20Command%20Injection%20Vulnerability

Scores

CVSS v3 9.8

EPSS 0.6070

EPSS Percentile 98.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-06-03

InTheWild.io 2021-09-30

CWE

CWE-78

Status published

Products (2)

xinuos/openserver 5.0.7

xinuos/openserver 6.0

Published Dec 18, 2020

Tracked Since Feb 18, 2026