Online Merchant - RCE (CVE-2018-25114)

CVE-2018-25114 is a critical remote code execution vulnerability in osCommerce Online Merchant 2.3.4.1, stemming from insecure default configurations and missing authentication in the installer workflow. Attackers can exploit the accessible /install/ directory to inject arbitrary PHP code into the configure.php file, leading to full server-side compromise when the file is executed. This flaw enables unauthenticated attackers to take complete control of the affected server, posing a severe risk to e-commerce sites running vulnerable versions.

CrowdSec has been tracking this vulnerability and its exploits since 29th of October 2025.

CrowdSec network data shows that most actors exploiting CVE-2018-25114 rely on broad, untargeted scans with minimal filtering. The activity is largely automated and opportunistic in nature. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2018-25114 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2018-25114 is currently experiencing high visibility and active exploitation across the internet.

Attackers exploit the osCommerce installer by sending crafted POST requests to /install/install.php?step=4 and subsequently accessing /install/includes/configure.php to execute arbitrary PHP code, targeting sites where the /install/ directory remains accessible after installation.