Cyber Resilience

CVE-2019-25289

HighPublic PoCRCE

Published: 08 January 2026

Published
08 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0169 74.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25289 is a high-severity OS Command Injection (CWE-78) vulnerability in Cxsecurity (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-25289 is an authenticated remote command injection vulnerability (CWE-78) affecting SmartLiving SmartLAN versions <=6.x. The issue resides in the web.cgi binary, where the 'par' POST parameter in the 'testemail' module is unsanitized, enabling attackers to inject arbitrary commands via the system() function call. This flaw allows execution of commands with root privileges, particularly exploitable using default credentials, and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity and no user interaction required. Successful exploitation grants the ability to execute arbitrary system commands as root, potentially leading to full system compromise, including high impacts on confidentiality, integrity, and availability.

References including advisories, proof-of-concept exploits, and vulnerability details are available at sources such as cxsecurity.com, IBM X-Force Exchange, Packet Storm Security, Exploit-DB, and the vendor site at inim.biz. No specific patch or mitigation details are outlined in the provided CVE information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SmartLiving SmartLAN <=6.x contains an authenticated remote command injection vulnerability in the web.cgi binary through the 'par' POST parameter with the 'testemail' module. Attackers can exploit the unsanitized parameter and system() function call to execute arbitrary system commands with root…

more

privileges using default credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The vulnerability is an authenticated command injection in a public-facing web application (web.cgi), directly enabling exploitation of public-facing applications (T1190) and execution via Unix Shell command injection (T1059.004) with root privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2024-46484Shared CWE-78
CVE-2015-10145Shared CWE-78
CVE-2020-37002Shared CWE-78
CVE-2026-27848Shared CWE-78
CVE-2025-0356Shared CWE-78
CVE-2025-13942Shared CWE-78

Affected Assets

Cxsecurity
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by requiring validation and sanitization of the unsanitized 'par' POST parameter before it reaches the system() function in web.cgi.

prevent

Mitigates the vulnerability through identification, reporting, and timely remediation or patching of the flaw in the 'testemail' module of web.cgi.

prevent

Reduces impact of successful injection by enforcing least privilege on the web.cgi process, limiting arbitrary command execution to non-root privileges.

References