2025-07-25 15:51:01
VulnCheck
PUBLISHED
A command injection vulnerability exists in the eScan Web Management Console version 5.5-2. The application fails to properly sanitize the pass parameter when processing login requests to login.php, allowing an authenticated attacker with a valid username to inject arbitrary commands via a specially crafted password value. Successful exploitation results in remote code execution. Privilege escalation to root is possible by abusing the runasroot utility with mwconf-level privileges.