CVE-2025-59739
Published: 02 October 2025
Summary
CVE-2025-59739 is a critical-severity Command Injection (CWE-77) vulnerability in Andsoft E-Tms. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-59739 is an operating system command injection vulnerability (CWE-77, CWE-78) in AndSoft's e-TMS version 25.03. The issue arises from improper handling of the 'm' parameter in the '/clt/LOGINFRM_original.ASP' endpoint, where an attacker can inject and execute arbitrary operating system commands on the server via a specially crafted POST request.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is highly severe and remotely exploitable over the network with low complexity. Unauthenticated attackers require no privileges or user interaction to trigger it, achieving high-impact effects on confidentiality, integrity, and availability through arbitrary command execution on the server.
The INCIBE-CERT advisory provides details on this and other vulnerabilities in AndSoft's e-TMS, available at https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-32632
- 🇪🇸 INCIBE: www.incibe.es
Vulnerability details
Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/clt/LOGINFRM_original.ASP'.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a command injection in a public-facing web application endpoint, directly enabling T1190 (Exploit Public-Facing Application) for unauthenticated RCE and facilitating T1059.003 (Windows Command Shell) via arbitrary OS command execution on the server.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents command injection by requiring validation of untrusted inputs like the 'm' parameter in the vulnerable POST request.
SI-2 mitigates the CVE by identifying, reporting, and remediating the specific flaw in e-TMS v25.03 through timely patching.
SC-7 provides boundary protection via web application firewalls that can block or detect command injection attempts targeting the '/clt/LOGINFRM_original.ASP' endpoint.