CVE-2019-25671

HighPublic PoC

Published: 05 April 2026

Published

05 April 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0047 64.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

VA MAX 8.3.4 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the mtu_eth0 parameter. Attackers can send POST requests to the changeip.php endpoint with malicious payload in the mtu_eth0…

field to execute commands as the apache user.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of the mtu_eth0 parameter to reject shell metacharacters, preventing command injection in changeip.php.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of the specific input validation flaw in VA MAX 8.3.4, eliminating the remote code execution vulnerability.

SC-7 Boundary Protection partial match

preventdetect

Boundary protection with web application firewalls monitors and blocks malicious POST requests containing shell metacharacters in the mtu_eth0 field.

Security SummaryAI

CVE-2019-25671 is a remote code execution vulnerability affecting VA MAX version 8.3.4. The flaw arises from insufficient input validation, allowing attackers to inject shell metacharacters into the mtu_eth0 parameter via POST requests to the changeip.php endpoint. This CWE-22 issue enables arbitrary command execution and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Authenticated attackers with low privileges can exploit this vulnerability remotely with low complexity and no user interaction. By crafting a malicious payload in the mtu_eth0 field, they can execute arbitrary commands on the target system running as the apache user, potentially leading to full server compromise including data exfiltration, modification, or disruption.

Advisories document the issue, with a proof-of-concept exploit available at https://www.exploit-db.com/exploits/46348 and further details in the VulnCheck advisory at https://www.vulncheck.com/advisories/va-max-remote-code-execution-via-changeip-php.

Details

CWE(s): CWE-22

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE-2019-25671 enables remote code execution through command injection (shell metacharacters) in a public-facing web endpoint (changeip.php), directly facilitating T1190 (Exploit Public-Facing Application) and T1059.004 (Unix Shell) as an authenticated low-privilege attacker.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/46348
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/va-max-remote-code-execution-via-changeip-php
disclosure@vulncheck.com