Cyber Posture

CVE-2019-25671

HighPublic PoC

Published: 05 April 2026

Published
05 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0047 64.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25671 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of the mtu_eth0 parameter to reject shell metacharacters, preventing command injection in changeip.php.

SI-2 Flaw Remediation good match
prevent

Mandates identification, reporting, and correction of the specific input validation flaw in VA MAX 8.3.4, eliminating the remote code execution vulnerability.

SC-7 Boundary Protection partial match
preventdetect

Boundary protection with web application firewalls monitors and blocks malicious POST requests containing shell metacharacters in the mtu_eth0 field.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

CVE-2019-25671 enables remote code execution through command injection (shell metacharacters) in a public-facing web endpoint (changeip.php), directly facilitating T1190 (Exploit Public-Facing Application) and T1059.004 (Unix Shell) as an authenticated low-privilege attacker.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

VA MAX 8.3.4 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the mtu_eth0 parameter. Attackers can send POST requests to the changeip.php endpoint with malicious payload in the mtu_eth0…

more

field to execute commands as the apache user.

Deeper analysisAI

CVE-2019-25671 is a remote code execution vulnerability affecting VA MAX version 8.3.4. The flaw arises from insufficient input validation, allowing attackers to inject shell metacharacters into the mtu_eth0 parameter via POST requests to the changeip.php endpoint. This CWE-22 issue enables arbitrary command execution and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Authenticated attackers with low privileges can exploit this vulnerability remotely with low complexity and no user interaction. By crafting a malicious payload in the mtu_eth0 field, they can execute arbitrary commands on the target system running as the apache user, potentially leading to full server compromise including data exfiltration, modification, or disruption.

Advisories document the issue, with a proof-of-concept exploit available at https://www.exploit-db.com/exploits/46348 and further details in the VulnCheck advisory at https://www.vulncheck.com/advisories/va-max-remote-code-execution-via-changeip-php.

Details

CWE(s)
CWE-22

CVEs Like This One

CVE-2024-36512Shared CWE-22
CVE-2025-14727Shared CWE-22
CVE-2025-36236Shared CWE-22
CVE-2025-7360Shared CWE-22
CVE-2025-7712Shared CWE-22
CVE-2024-39786Shared CWE-22
CVE-2025-64057Shared CWE-22
CVE-2025-14914Shared CWE-22
CVE-2025-15449Shared CWE-22
CVE-2026-38360Shared CWE-22

References