QwikSec

Security Database

CVE

CWE

Training

CVE-2012-10040

Published: Aug 11, 2025

Modified: Apr 7, 2026

PUBLISHED

Description

Openfiler v2.x contains a command injection vulnerability in the system.html page. The device parameter is used to instantiate a NetworkCard object, whose constructor in network.inc calls exec() with unsanitized input. An authenticated attacker can exploit this to execute arbitrary commands as the openfiler user. Due to misconfigured sudoers, the openfiler user can escalate privileges to root via sudo /bin/bash without a password.

Vendor	Product	Versions
Openfiler	Openfiler	affected `2.0`

Weaknesses (CWE)

References

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/openfiler_networkcard_exec.rb

exploit

https://www.exploit-db.com/exploits/21191

exploit

https://www.openfiler.com/

product

https://sourceforge.net/projects/openfiler/

product

http://web.archive.org/web/20210922060411/https://itsecuritysolutions.org/2012-09-06-Openfiler-v2.x-multiple-vulnerabilities/

technical-description

exploit

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.