CVE-2018-25159
CRITICAL
Unauthorized Error Injection Can Degrade Hardware Redundancy (CWE-1334)
2026-03-11
disclosure@vulncheck.com
9.3
CVSS 4.0
Share
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X
Lifecycle Timeline
4
CVSS changed
Apr 15, 2026 - 15:22 NVD
9.8 (CRITICAL)
9.3 (CRITICAL)
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
PoC Detected
Mar 12, 2026 - 21:08 vuln.today
Public exploit code
CVE Published
Mar 11, 2026 - 19:15 nvd
CRITICAL 9.8
DescriptionNVD
Epross AVCON6 systems management platform contains an object-graph navigation language (OGNL) injection vulnerability that allows unauthenticated attackers to execute arbitrary commands by injecting malicious OGNL expressions. Attackers can send crafted requests to the login.action endpoint with OGNL payloads in the redirect parameter to instantiate ProcessBuilder objects and execute system commands with root privileges.
AnalysisAI
OGNL injection in Epross AVCON6 management platform. PoC available.
Technical ContextAI
CWE-1334 OGNL injection.
Affected ProductsAI
Epross AVCON6
RemediationAI
Apply patch.
Share
External POC / Exploit Code
Leaving vuln.today
Destination URL
POC code from unknown sources may be malicious, contain backdoors, or be fake.
Always review and test exploit code in a safe, isolated environment (VM/sandbox).
Verify the source reputation and cross-reference with known databases (Exploit-DB, GitHub Security).