CRITICAL🇵🇱 Wersja polska

CVE-2012-10047

CVSS 10.0v4.0pub. 2025-08-08upd. 2026-05-26

Cyclope Employee Surveillance Solution versions 6.x are vulnerable to a SQL injection flaw in its login mechanism. The username parameter in the auth-login POST request is not properly sanitized, allowing attackers to inject arbitrary SQL statements. This can be leveraged to write and execute a malicious PHP file on disk, resulting in remote code execution under the SYSTEM user context.

🤖 AI Analysis
How it works

The username parameter in the POST request to the auth-login endpoint is not properly filtered, allowing injection of arbitrary SQL instructions. The attacker can exploit this vulnerability to write a malicious PHP file to the server disk and then call it remotely, thereby achieving remote code execution (RCE). This occurs without the need for any credentials and requires no user interaction. The code is executed in the context of the SYSTEM account, which means the highest privilege level in the Windows environment.

Impact

The attacker gains remote code execution (RCE) with SYSTEM privileges, enabling complete takeover of the operating system, including data theft, malware installation, and lateral movement within the network.

Mitigation & patch

Apply patches available from the vendor according to the references. If updating is not possible, consider restricting network access to the web application interface to trusted hosts only and monitor traffic for SQL injection attempts.

Who is affected

Cyclope Employee Surveillance Solution in versions 6.x

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCESQLi
CWE
References