Cyber Posture

CVE-2019-25468

CriticalPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0031 54.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

NetGain EM Plus 10.1.68 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious parameters to the script_test.jsp endpoint. Attackers can send POST requests with shell commands embedded in the 'content' parameter…

more

to execute code and retrieve command output.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents code injection attacks by validating and sanitizing the 'content' parameter submitted to the script_test.jsp endpoint.

SI-2 Flaw Remediation good match
prevent

Remediates the specific remote code execution flaw in NetGain EM Plus 10.1.68 by identifying, prioritizing, and applying patches or fixes.

SC-14 Public Access Protections good match
prevent

Protects the publicly accessible script_test.jsp endpoint from unauthorized unauthenticated access and exploitation via enforced security measures.

Security SummaryAI

CVE-2019-25468 is a remote code execution vulnerability affecting NetGain EM Plus version 10.1.68. The issue lies in the script_test.jsp endpoint, which processes POST requests insecurely. Unauthenticated attackers can submit malicious parameters, embedding arbitrary shell commands in the 'content' parameter, leading to command execution and retrieval of output. This flaw is classified under CWE-94 (Code Injection) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The attack scenario targets systems exposing the script_test.jsp endpoint over the network. Unauthenticated remote attackers require no privileges, user interaction, or special access, making exploitation straightforward via crafted POST requests. Successful attacks allow full remote code execution, providing high-impact compromise of confidentiality, integrity, and availability, such as running system commands to escalate control over the affected NetGain EM Plus instance.

References include a VulnCheck advisory detailing the remote code execution via script_test.jsp, an Exploit-DB proof-of-concept (exploit ID 47391), and the vendor site at netgain-systems.com. These sources confirm the vulnerability's mechanics and public exploit availability but do not specify patch details or mitigation steps in the provided information.

Details

CWE(s)
CWE-94

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

Unauthenticated RCE via command injection in a public-facing web endpoint (script_test.jsp) directly enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary system command execution (T1059 Command and Scripting Interpreter).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References