CVE-2014-125123

CVE-2014-125123 is a critical-severity vulnerability with a CVSS 4.0 base score of 10.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-89.

Key facts

Description

An unauthenticated SQL injection vulnerability exists in the Kloxo web hosting control panel (developed by LXCenter) prior to version 6.1.12. The flaw resides in the login-name parameter passed to lbin/webcommand.php, which fails to properly sanitize input, allowing an attacker to extract the administrator’s password from the backend database. After recovering valid credentials, the attacker can authenticate to the Kloxo control panel and leverage the Command Center feature (display.php) to execute arbitrary operating system commands as root on the underlying host system. This vulnerability was reported to be exploited in the wild in January 2014.

Frequently asked questions

What is CVE-2014-125123?
An unauthenticated SQL injection vulnerability exists in the Kloxo web hosting control panel (developed by LXCenter) prior to version 6.1.12. The flaw resides in the login-name parameter passed to lbin/webcommand.php, which fails to properly sanitize input, allowing an attacker to extract the administrator’s password from the backend database. After recovering valid credentials, the attacker can authenticate to the Kloxo control panel and leverage the Command Center feature (display.php) to execute arbitrary operating system commands as root on the underlying host system. This vulnerability was reported to be exploited in the wild in January 2014.
How severe is CVE-2014-125123?
CVE-2014-125123 has a CVSS 4.0 base score of 10.0, rated critical severity.
Is CVE-2014-125123 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (49th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2014-125123?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
Does CVE-2014-125123 have an EU (EUVD) identifier?
Yes. CVE-2014-125123 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2014-9816.
When was CVE-2014-125123 published?
CVE-2014-125123 was published on 2025-07-31 and last updated on 2026-06-17.

References

Other CWE-89 (SQL Injection) vulnerabilities

Browse all CWE-89 (SQL Injection) vulnerabilities →