CVE-2019-25441
Published: 20 February 2026
Summary
CVE-2019-25441 is a critical-severity OS Command Injection (CWE-78) vulnerability in Kostasmitroglou Thesystem. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2019-25441 is a command injection vulnerability (CWE-78) affecting thesystem version 1.0, specifically in the run_command endpoint. The flaw enables unauthenticated attackers to execute arbitrary system commands by submitting malicious input via POST requests, where shell commands are injected through the command parameter. This results in remote code execution on the server without requiring authentication. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and potential for complete compromise of confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit this vulnerability by sending crafted POST requests to the run_command endpoint with malicious payloads in the command parameter. Successful exploitation allows arbitrary command execution on the server, potentially leading to full system compromise, data exfiltration, privilege escalation, or deployment of persistent malware.
Advisories and related resources, including the GitHub repository at https://github.com/kostasmitroglou/thesystem, an Exploit-DB entry at https://www.exploit-db.com/exploits/47441, and a VulnCheck advisory at https://www.vulncheck.com/advisories/thesystem-command-injection-via-runcommand-endpoint, provide further details on the issue, proof-of-concept exploits, and potential mitigation guidance such as input validation or endpoint restrictions.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19607
Vulnerability details
thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the run_command endpoint. Attackers can send POST requests with shell commands in the command parameter to execute arbitrary code…
more
on the server without authentication.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated command injection in public-facing run_command endpoint enables exploitation of public-facing application (T1190) and facilitates arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of the command parameter in the run_command endpoint to ensure inputs are consistent and free of malicious shell commands, directly preventing command injection.
Defines and restricts permitted actions without authentication, preventing unauthenticated access to the vulnerable run_command endpoint.
Enforces approved access authorizations, requiring authentication and authorization for the run_command endpoint to block unauthenticated attackers.