Critical severityNVD Advisory· Published Aug 11, 2025· Updated Apr 15, 2026

CVE-2012-10040

Description

Openfiler v2.x contains a command injection vulnerability in the system.html page. The device parameter is used to instantiate a NetworkCard object, whose constructor in network.inc calls exec() with unsanitized input. An authenticated attacker can exploit this to execute arbitrary commands as the openfiler user. Due to misconfigured sudoers, the openfiler user can escalate privileges to root via sudo /bin/bash without a password.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

web.archive.org/web/20210922060411/https://itsecuritysolutions.org/2012-09-06-Openfiler-v2.x-multiple-vulnerabilities/nvd
raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/openfiler_networkcard_exec.rbnvd
sourceforge.net/projects/openfiler/nvd
www.exploit-db.com/exploits/21191nvd
www.openfiler.comnvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.045
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000