Cyber Resilience

CVE-2025-59736

CriticalRCE

Published: 02 October 2025

Published
02 October 2025
Modified
02 October 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0030 53.6th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59736 is a critical-severity Command Injection (CWE-77) vulnerability in Andsoft E-Tms. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-59736 is an operating system command injection vulnerability (CWE-77, CWE-78) in AndSoft's e-TMS version 25.03. The issue stems from improper handling of the 'm' parameter in the '/clt/LOGINFRM_DJO.ASP' endpoint, enabling attackers to inject and execute arbitrary operating system commands on the server through a specially crafted POST request. Published on 2025-10-02, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high impact on confidentiality, integrity, and availability.

The vulnerability is exploitable remotely over the network by any unauthenticated attacker, requiring low complexity and no user interaction or privileges. A successful attack involves sending a malicious POST request to the vulnerable endpoint, allowing command execution on the server and potential full compromise, such as unauthorized access to sensitive data, system modification, or disruption of services.

INCIBE-CERT has issued an advisory on multiple vulnerabilities in AndSoft's e-TMS, including CVE-2025-59736, available at https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms. Practitioners should consult this notice for details on available updates, patches, and mitigation recommendations.

EU & UK References

Vulnerability details

Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/clt/LOGINFRM_DJO.ASP'.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

CVE enables exploitation of a public-facing web application (T1190) via unauthenticated remote command injection, directly facilitating arbitrary OS command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-59740Same product: Andsoft E-Tms
CVE-2025-59738Same product: Andsoft E-Tms
CVE-2025-59735Same product: Andsoft E-Tms
CVE-2025-59737Same product: Andsoft E-Tms
CVE-2025-59741Same product: Andsoft E-Tms
CVE-2025-59739Same product: Andsoft E-Tms
CVE-2025-44015Shared CWE-77, CWE-78
CVE-2026-4585Shared CWE-77, CWE-78
CVE-2026-7698Shared CWE-77, CWE-78
CVE-2026-1544Shared CWE-77, CWE-78

Affected Assets

andsoft
e-tms
25.03

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents command injection by validating and sanitizing the untrusted 'm' parameter in the vulnerable POST request to '/clt/LOGINFRM_DJO.ASP'.

prevent

SI-2 mitigates the vulnerability by identifying, reporting, and applying patches or updates for the specific command injection flaw in e-TMS v25.03 as advised by INCIBE-CERT.

prevent

SI-9 restricts the 'm' parameter input to safe types, formats, and lengths, reducing the attack surface for command injection exploits.

References