Cyber Resilience

CVE-2025-70831

CriticalRCE

Published: 20 February 2026

Published
20 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0092 55.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-70831 is a critical-severity OS Command Injection (CWE-78) vulnerability in Lkw199711 Smanga. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-70831 is a Remote Code Execution (RCE) vulnerability in Smanga 3.2.7, affecting the /php/path/rescan.php interface. The issue stems from the application's failure to properly sanitize user-supplied input in the mediaId parameter before incorporating it into a system shell command, enabling OS command injection as classified under CWE-78. Published on 2026-02-20, it carries a CVSS v3.1 base score of 9.8, reflecting its critical severity.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H). By supplying malicious input to the mediaId parameter, they can inject arbitrary operating system commands, achieving complete server compromise including high confidentiality, integrity, and availability impacts.

Mitigation details and additional information are available in the referenced advisory at https://github.com/LX-66-LX/cve/issues/5.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A Remote Code Execution (RCE) vulnerability was found in Smanga 3.2.7 in the /php/path/rescan.php interface. The application fails to properly sanitize user-supplied input in the mediaId parameter before using it in a system shell command. This allows an unauthenticated attacker…

more

to inject arbitrary operating system commands, leading to complete server compromise.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The vulnerability is an unauthenticated RCE via OS command injection (CWE-78) in a public-facing web application endpoint, directly enabling T1190 (Exploit Public-Facing Application) and facilitating arbitrary command execution via T1059.004 (Unix Shell) in a PHP-based system shell context.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-70833Same product: Lkw199711 Smanga
CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2024-46484Shared CWE-78
CVE-2015-10145Shared CWE-78
CVE-2020-37002Shared CWE-78
CVE-2026-27848Shared CWE-78
CVE-2025-0356Shared CWE-78

Affected Assets

lkw199711
smanga
3.2.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation and sanitization of user-supplied inputs such as the mediaId parameter before use in system commands, directly preventing OS command injection.

prevent

SI-2 requires timely identification, reporting, and correction of flaws like this command injection vulnerability through patching Smanga 3.2.7.

preventdetect

SC-7 enforces boundary protection that can inspect and block malicious mediaId inputs attempting command injection via web application firewalls.

References