Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
Epross AVCON6 management platform allows attackers to execute system commands
CVE-2018-25159
Summary
The Epross AVCON6 management platform has a flaw that lets hackers use malicious code to run system commands without needing a login. This could allow an attacker to access sensitive information or make changes to the system. Update the platform to the latest version to fix this issue.
Original title
Epross AVCON6 systems management platform contains an object-graph navigation language (OGNL) injection vulnerability that allows unauthenticated attackers to execute arbitrary commands by injectin...
Original description
Epross AVCON6 systems management platform contains an object-graph navigation language (OGNL) injection vulnerability that allows unauthenticated attackers to execute arbitrary commands by injecting malicious OGNL expressions. Attackers can send crafted requests to the login.action endpoint with OGNL payloads in the redirect parameter to instantiate ProcessBuilder objects and execute system commands with root privileges.
nvd CVSS3.1
9.8
nvd CVSS4.0
9.3
Vulnerability type
CWE-1334
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026