CVE-2025-59735
Published: 02 October 2025
Description
Adversaries may abuse the Windows command shell for execution.
Security Summary
CVE-2025-59735 is an operating system command injection vulnerability (CWE-77, CWE-78) in AndSoft's e-TMS version 25.03. The issue arises from improper handling of the 'm' parameter in the '/clt/LOGINFRM.ASP' endpoint, where a specially crafted POST request enables attackers to execute arbitrary operating system commands on the affected server.
This vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is highly severe and remotely exploitable over the network with low complexity, no required privileges, and no user interaction. Unauthenticated attackers can send a malicious POST request to inject and execute OS commands, achieving high impacts on confidentiality, integrity, and availability, such as full server compromise.
INCIBE-CERT has published an advisory on this and other vulnerabilities in AndSoft's e-TMS at https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms, which provides details relevant to mitigation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Command injection in a public-facing ASP web endpoint enables unauthenticated remote OS command execution, directly facilitating T1190 (Exploit Public-Facing Application) for initial access and T1059.003 (Windows Command Shell) for execution.