Cyber Resilience

CVE-2019-25441

CriticalPublic PoCRCE

Published: 20 February 2026

Published
20 February 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0850 94.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2019-25441 is a critical-severity OS Command Injection (CWE-78) vulnerability in Kostasmitroglou Thesystem. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2019-25441 is a command injection vulnerability (CWE-78) affecting thesystem version 1.0, specifically in the run_command endpoint. The flaw enables unauthenticated attackers to execute arbitrary system commands by submitting malicious input via POST requests, where shell commands are injected through the command parameter. This results in remote code execution on the server without requiring authentication. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and potential for complete compromise of confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit this vulnerability by sending crafted POST requests to the run_command endpoint with malicious payloads in the command parameter. Successful exploitation allows arbitrary command execution on the server, potentially leading to full system compromise, data exfiltration, privilege escalation, or deployment of persistent malware.

Advisories and related resources, including the GitHub repository at https://github.com/kostasmitroglou/thesystem, an Exploit-DB entry at https://www.exploit-db.com/exploits/47441, and a VulnCheck advisory at https://www.vulncheck.com/advisories/thesystem-command-injection-via-runcommand-endpoint, provide further details on the issue, proof-of-concept exploits, and potential mitigation guidance such as input validation or endpoint restrictions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the run_command endpoint. Attackers can send POST requests with shell commands in the command parameter to execute arbitrary code…

more

on the server without authentication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated command injection in public-facing run_command endpoint enables exploitation of public-facing application (T1190) and facilitates arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2024-46484Shared CWE-78
CVE-2015-10145Shared CWE-78
CVE-2020-37002Shared CWE-78
CVE-2026-27848Shared CWE-78
CVE-2025-0356Shared CWE-78
CVE-2025-13942Shared CWE-78

Affected Assets

kostasmitroglou
thesystem
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of the command parameter in the run_command endpoint to ensure inputs are consistent and free of malicious shell commands, directly preventing command injection.

prevent

Defines and restricts permitted actions without authentication, preventing unauthenticated access to the vulnerable run_command endpoint.

prevent

Enforces approved access authorizations, requiring authentication and authorization for the run_command endpoint to block unauthenticated attackers.

References