CVE-2025-0328
Published: 09 January 2025
Description
A vulnerability, which was classified as critical, has been found in KaiYuanTong ECT Platform up to 2.0.0. Affected by this issue is some unknown functionality of the file /public/server/runCode.php of the component HTTP POST Request Handler. The manipulation of the argument code leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Security Summary
CVE-2025-0328 is a critical command injection vulnerability affecting KaiYuanTong ECT Platform versions up to 2.0.0. The issue resides in an unknown functionality of the file /public/server/runCode.php within the HTTP POST Request Handler component, where manipulation of the "code" argument enables arbitrary command execution. Classified under CWE-74 and CWE-77, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on January 9, 2025.
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, requiring no privileges or user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling attackers to execute arbitrary commands on the server. An exploit has been publicly disclosed and may be actively used.
Advisories from sources like VulDB note that the vendor was contacted early regarding the disclosure but provided no response, with no patches or mitigations mentioned. References include detailed entries on VulDB (ctiid.290792, id.290792, submit.470601) and zhaoj.in notes.
Details
- CWE(s)