CVE-2019-25289
Published: 08 January 2026
Summary
CVE-2019-25289 is a high-severity OS Command Injection (CWE-78) vulnerability in Cxsecurity (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-25289 is an authenticated remote command injection vulnerability (CWE-78) affecting SmartLiving SmartLAN versions <=6.x. The issue resides in the web.cgi binary, where the 'par' POST parameter in the 'testemail' module is unsanitized, enabling attackers to inject arbitrary commands via the system() function call. This flaw allows execution of commands with root privileges, particularly exploitable using default credentials, and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity and no user interaction required. Successful exploitation grants the ability to execute arbitrary system commands as root, potentially leading to full system compromise, including high impacts on confidentiality, integrity, and availability.
References including advisories, proof-of-concept exploits, and vulnerability details are available at sources such as cxsecurity.com, IBM X-Force Exchange, Packet Storm Security, Exploit-DB, and the vendor site at inim.biz. No specific patch or mitigation details are outlined in the provided CVE information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1604
Vulnerability details
SmartLiving SmartLAN <=6.x contains an authenticated remote command injection vulnerability in the web.cgi binary through the 'par' POST parameter with the 'testemail' module. Attackers can exploit the unsanitized parameter and system() function call to execute arbitrary system commands with root…
more
privileges using default credentials.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authenticated command injection in a public-facing web application (web.cgi), directly enabling exploitation of public-facing applications (T1190) and execution via Unix Shell command injection (T1059.004) with root privileges.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents command injection by requiring validation and sanitization of the unsanitized 'par' POST parameter before it reaches the system() function in web.cgi.
Mitigates the vulnerability through identification, reporting, and timely remediation or patching of the flaw in the 'testemail' module of web.cgi.
Reduces impact of successful injection by enforcing least privilege on the web.cgi process, limiting arbitrary command execution to non-root privileges.