QwikSec

Security Database

CVE

CWE

Training

CVE-2012-10046

Published: Aug 8, 2025

Modified: Apr 7, 2026

PUBLISHED

Description

The E-Mail Security Virtual Appliance (ESVA) (tested on version ESVA_2057) contains an unauthenticated command injection vulnerability in the learn-msg.cgi script. The CGI handler fails to sanitize user-supplied input passed via the id parameter, allowing attackers to inject arbitrary shell commands. Exploitation requires no authentication and results in full command execution on the underlying system.

Vendor	Product	Versions
ESVA-Project	E-Mail Security Virtual Appliance	affected `ESVA_2057`

Weaknesses (CWE)

References

https://sourceforge.net/projects/esva-project/

product

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/esva_exec.rb

exploit

https://www.exploit-db.com/exploits/20551

exploit

https://www.exploit-db.com/exploits/20712

exploit

https://www.vulncheck.com/advisories/email-security-virtual-appliance-command-injection

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.