CVE-2019-25289

HighPublic PoC

Published: 08 January 2026

Published

08 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0043 62.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

SmartLiving SmartLAN <=6.x contains an authenticated remote command injection vulnerability in the web.cgi binary through the 'par' POST parameter with the 'testemail' module. Attackers can exploit the unsanitized parameter and system() function call to execute arbitrary system commands with root…

privileges using default credentials.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection by requiring validation and sanitization of the unsanitized 'par' POST parameter before it reaches the system() function in web.cgi.

SI-2 Flaw Remediation good match

prevent

Mitigates the vulnerability through identification, reporting, and timely remediation or patching of the flaw in the 'testemail' module of web.cgi.

AC-6 Least Privilege partial match

prevent

Reduces impact of successful injection by enforcing least privilege on the web.cgi process, limiting arbitrary command execution to non-root privileges.

Security SummaryAI

CVE-2019-25289 is an authenticated remote command injection vulnerability (CWE-78) affecting SmartLiving SmartLAN versions <=6.x. The issue resides in the web.cgi binary, where the 'par' POST parameter in the 'testemail' module is unsanitized, enabling attackers to inject arbitrary commands via the system() function call. This flaw allows execution of commands with root privileges, particularly exploitable using default credentials, and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity and no user interaction required. Successful exploitation grants the ability to execute arbitrary system commands as root, potentially leading to full system compromise, including high impacts on confidentiality, integrity, and availability.

References including advisories, proof-of-concept exploits, and vulnerability details are available at sources such as cxsecurity.com, IBM X-Force Exchange, Packet Storm Security, Exploit-DB, and the vendor site at inim.biz. No specific patch or mitigation details are outlined in the provided CVE information.

Details

CWE(s): CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability is an authenticated command injection in a public-facing web application (web.cgi), directly enabling exploitation of public-facing applications (T1190) and execution via Unix Shell command injection (T1059.004) with root privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://cxsecurity.com/issue/WLB-2019120046
disclosure@vulncheck.com
https://exchange.xforce.ibmcloud.com/vulnerabilities/172840
disclosure@vulncheck.com
https://packetstormsecurity.com/files/155616
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/47765
disclosure@vulncheck.com
https://www.inim.biz/
disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5544.php
disclosure@vulncheck.com