CVE-2019-25243

HighPublic PoC

Published: 24 December 2025

Published

24 December 2025

Modified

30 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0115 78.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php scripts. Attackers can exploit unsanitized input parameters to inject and execute arbitrary shell commands with root privileges by manipulating the 'strInIP' and 'strInPort' parameters.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly prevents command injection by requiring validation and sanitization of unsanitized inputs like 'strInIP' and 'strInPort' parameters before processing in PHP scripts.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and correction of flaws such as this specific command injection vulnerability in pingTest.php and tcpPortTest.php.

AC-6 Least Privilege partial match

prevent

AC-6 enforces least privilege, reducing the impact of injected commands by preventing the PHP scripts from executing with unnecessary root privileges.

Security SummaryAI

FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability, classified under CWE-78, affecting the pingTest.php and tcpPortTest.php scripts. The flaw arises from unsanitized input parameters 'strInIP' and 'strInPort', which attackers can manipulate to inject and execute arbitrary shell commands with root privileges. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and potential for complete system compromise.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network without user interaction. By sending crafted requests to the affected PHP scripts, the attacker achieves remote code execution as root, enabling full control over the host system, including data exfiltration, persistence, or further lateral movement.

Advisories and related resources are available from the vendor at http://www.iwt.com.hk, a proof-of-concept exploit at https://www.exploit-db.com/exploits/47064, and a detailed vulnerability report from Zero Science Labs at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5523.php. These references provide further technical details but do not specify patch availability in the provided information.

Details

CWE(s): CWE-78

Affected Products

iwt

facesentry access control system firmware

5.7.0, 5.7.2, 6.4.8

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Authenticated remote command injection in web scripts enables exploitation of public-facing application (T1190), Unix shell execution (T1059.004), and privilege escalation from low privileges to root via the vulnerability (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

http://www.iwt.com.hk
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/47064
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5523.php
Exploit, Third Party Advisory · disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5523.php
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0