Cyber Resilience

CVE-2025-59738

CriticalRCE

Published: 02 October 2025

Published
02 October 2025
Modified
02 October 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0030 53.6th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59738 is a critical-severity Command Injection (CWE-77) vulnerability in Andsoft E-Tms. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-59738 is an operating system command injection vulnerability (CWE-77, CWE-78) affecting AndSoft's e-TMS version 25.03. The flaw exists in the handling of the 'm' parameter within the '/clt/LOGINFRM_BET.ASP' endpoint, where unsanitized input from a POST request can lead to arbitrary command execution on the server. This critical issue carries a CVSS v3.1 base score of 9.8, reflecting its high severity due to network accessibility, low attack complexity, and lack of prerequisites.

The vulnerability can be exploited remotely by any unauthenticated attacker (PR:N) over the network (AV:N) with no user interaction required (UI:N). Successful exploitation allows execution of arbitrary operating system commands on the affected server, potentially granting high-impact confidentiality (C:H), integrity (I:H), and availability (A:H) compromises, such as data theft, modification, or full system takeover, all within the unchanged security scope (S:U).

INCIBE-CERT has published an advisory detailing this and other vulnerabilities in AndSoft's e-TMS, available at https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms, which security practitioners should consult for mitigation guidance, including any recommended updates or workarounds.

EU & UK References

Vulnerability details

Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/clt/LOGINFRM_BET.ASP'.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.003 Windows Command Shell Execution
Adversaries may abuse the Windows command shell for execution.
Why these techniques?

The vulnerability is a command injection in a public-facing ASP web endpoint, enabling remote unauthenticated exploitation of a public-facing application (T1190) and arbitrary OS command execution via Windows Command Shell (T1059.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-59735Same product: Andsoft E-Tms
CVE-2025-59737Same product: Andsoft E-Tms
CVE-2025-59741Same product: Andsoft E-Tms
CVE-2025-59739Same product: Andsoft E-Tms
CVE-2025-59736Same product: Andsoft E-Tms
CVE-2025-59740Same product: Andsoft E-Tms
CVE-2026-28391Shared CWE-78
CVE-2026-9475Shared CWE-77, CWE-78
CVE-2025-9727Shared CWE-77, CWE-78
CVE-2023-53941Shared CWE-78

Affected Assets

andsoft
e-tms
25.03

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the OS command injection by requiring validation of the unsanitized 'm' parameter in POST requests to /clt/LOGINFRM_BET.ASP.

prevent

Enforces input restrictions on the 'm' parameter at the web application boundary to block malicious command injection payloads.

prevent

Remediates the specific flaw in e-TMS v25.03 through timely patching or workarounds as recommended in the INCIBE-CERT advisory.

References