CVE-2018-25159 CRITICAL

CVE-2018-25159: Epross AVCON6 OGNL Remote Code Execution via login.action

Vendor Epross
Product AVCON6 systems management platform
Weakness CWE-1334
Published March 11, 2026
Last update April 7, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Epross AVCON6 systems management platform contains an object-graph navigation language (OGNL) injection vulnerability that allows unauthenticated attackers to execute arbitrary commands by injecting malicious OGNL expressions. Attackers can send crafted requests to the login.action endpoint with OGNL payloads in the redirect parameter to instantiate ProcessBuilder objects and execute system commands with root privileges.

Key dates

02Disclosure timeline

March 11, 2026 CVE published
April 7, 2026 Record updated