This Metasploit module exploits multiple vulnerabilities in Visual Mining NetCharts. First, a lack of input validation in the administration console permits arbitrary jsp code upload to locations accessible later through the web service. Authentication is typically required, however a ‘hidden’ user is available by default (and non editable). This user, named ‘Scheduler’, can only login to the console after any modification in the user database (a user is added, admin password is changed etc). If the ‘Scheduler’ user isn’t available valid credentials must be supplied. The default Admin password is Admin.