CVE-2019-25243
Published: 24 December 2025
Summary
CVE-2019-25243 is a high-severity OS Command Injection (CWE-78) vulnerability in Iwt Facesentry Access Control System Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents command injection by requiring validation and sanitization of unsanitized inputs like 'strInIP' and 'strInPort' parameters before processing in PHP scripts.
SI-2 requires timely identification, reporting, and correction of flaws such as this specific command injection vulnerability in pingTest.php and tcpPortTest.php.
AC-6 enforces least privilege, reducing the impact of injected commands by preventing the PHP scripts from executing with unnecessary root privileges.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated remote command injection in web scripts enables exploitation of public-facing application (T1190), Unix shell execution (T1059.004), and privilege escalation from low privileges to root via the vulnerability (T1068).
NVD Description
FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php scripts. Attackers can exploit unsanitized input parameters to inject and execute arbitrary shell commands with root privileges by manipulating the 'strInIP' and 'strInPort' parameters.
Deeper analysisAI
FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability, classified under CWE-78, affecting the pingTest.php and tcpPortTest.php scripts. The flaw arises from unsanitized input parameters 'strInIP' and 'strInPort', which attackers can manipulate to inject and execute arbitrary shell commands with root privileges. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and potential for complete system compromise.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network without user interaction. By sending crafted requests to the affected PHP scripts, the attacker achieves remote code execution as root, enabling full control over the host system, including data exfiltration, persistence, or further lateral movement.
Advisories and related resources are available from the vendor at http://www.iwt.com.hk, a proof-of-concept exploit at https://www.exploit-db.com/exploits/47064, and a detailed vulnerability report from Zero Science Labs at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5523.php. These references provide further technical details but do not specify patch availability in the provided information.
Details
- CWE(s)