Cyber Resilience

CVE-2019-25243

HighPublic PoCRCE

Published: 24 December 2025

Published
24 December 2025
Modified
30 December 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0232 81.3th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25243 is a high-severity OS Command Injection (CWE-78) vulnerability in Iwt Facesentry Access Control System Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability, classified under CWE-78, affecting the pingTest.php and tcpPortTest.php scripts. The flaw arises from unsanitized input parameters 'strInIP' and 'strInPort', which attackers can manipulate to inject and execute arbitrary shell commands with root privileges. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and potential for complete system compromise.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network without user interaction. By sending crafted requests to the affected PHP scripts, the attacker achieves remote code execution as root, enabling full control over the host system, including data exfiltration, persistence, or further lateral movement.

Advisories and related resources are available from the vendor at http://www.iwt.com.hk, a proof-of-concept exploit at https://www.exploit-db.com/exploits/47064, and a detailed vulnerability report from Zero Science Labs at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5523.php. These references provide further technical details but do not specify patch availability in the provided information.

EU & UK References

Vulnerability details

FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php scripts. Attackers can exploit unsanitized input parameters to inject and execute arbitrary shell commands with root privileges by manipulating the 'strInIP' and 'strInPort' parameters.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Authenticated remote command injection in web scripts enables exploitation of public-facing application (T1190), Unix shell execution (T1059.004), and privilege escalation from low privileges to root via the vulnerability (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2019-25241Same product: Iwt Facesentry Access Control System
CVE-2019-25279Same product: Iwt Facesentry Access Control System
CVE-2024-58287Shared CWE-78
CVE-2025-56082Shared CWE-78
CVE-2025-60957Shared CWE-78
CVE-2013-10073Shared CWE-78
CVE-2026-26943Shared CWE-78
CVE-2025-56098Shared CWE-78
CVE-2021-47816Shared CWE-78
CVE-2025-56107Shared CWE-78

Affected Assets

iwt
facesentry access control system firmware
5.7.0, 5.7.2, 6.4.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents command injection by requiring validation and sanitization of unsanitized inputs like 'strInIP' and 'strInPort' parameters before processing in PHP scripts.

prevent

SI-2 requires timely identification, reporting, and correction of flaws such as this specific command injection vulnerability in pingTest.php and tcpPortTest.php.

prevent

AC-6 enforces least privilege, reducing the impact of injected commands by preventing the PHP scripts from executing with unnecessary root privileges.

References