HybridAuth 2.0.9 - 2.2.2 Unauthenticated RCE via install.php Configuration Injection | Advisories

Advisories

HybridAuth 2.0.9 - 2.2.2 Unauthenticated RCE via install.php Configuration Injection

severity: critical
date: July 25, 2025
Affecting: HybridAuth 2.0.9 - 2.2.2
CVE: CVE-2014-125116
CVE type: Unrestricted File Upload
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: Metasploit Module
EDB-34273
EDB-34390 (Metasploit)
Product Site
Credit: Pichaya Morimoto