Cyber Posture

CVE-2019-25441

CriticalPublic PoC

Published: 20 February 2026

Published
20 February 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0621 90.9th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Description

thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the run_command endpoint. Attackers can send POST requests with shell commands in the command parameter to execute arbitrary code…

more

on the server without authentication.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of the command parameter in the run_command endpoint to ensure inputs are consistent and free of malicious shell commands, directly preventing command injection.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Defines and restricts permitted actions without authentication, preventing unauthenticated access to the vulnerable run_command endpoint.

AC-3 Access Enforcement good match
prevent

Enforces approved access authorizations, requiring authentication and authorization for the run_command endpoint to block unauthenticated attackers.

Security SummaryAI

CVE-2019-25441 is a command injection vulnerability (CWE-78) affecting thesystem version 1.0, specifically in the run_command endpoint. The flaw enables unauthenticated attackers to execute arbitrary system commands by submitting malicious input via POST requests, where shell commands are injected through the command parameter. This results in remote code execution on the server without requiring authentication. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and potential for complete compromise of confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit this vulnerability by sending crafted POST requests to the run_command endpoint with malicious payloads in the command parameter. Successful exploitation allows arbitrary command execution on the server, potentially leading to full system compromise, data exfiltration, privilege escalation, or deployment of persistent malware.

Advisories and related resources, including the GitHub repository at https://github.com/kostasmitroglou/thesystem, an Exploit-DB entry at https://www.exploit-db.com/exploits/47441, and a VulnCheck advisory at https://www.vulncheck.com/advisories/thesystem-command-injection-via-runcommand-endpoint, provide further details on the issue, proof-of-concept exploits, and potential mitigation guidance such as input validation or endpoint restrictions.

Details

CWE(s)
CWE-78

Affected Products

kostasmitroglou
thesystem
1.0.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Unauthenticated command injection in public-facing run_command endpoint enables exploitation of public-facing application (T1190) and facilitates arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References