CVE-2025-59736

CVE-2025-59736 is an operating system command injection vulnerability (CWE-77, CWE-78) in AndSoft's e-TMS version 25.03. The issue stems from improper handling of the 'm' parameter in the '/clt/LOGINFRM_DJO.ASP' endpoint, enabling attackers to inject and execute arbitrary operating system commands on the server through a specially crafted POST request. Published on 2025-10-02, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high impact on confidentiality, integrity, and availability.

The vulnerability is exploitable remotely over the network by any unauthenticated attacker, requiring low complexity and no user interaction or privileges. A successful attack involves sending a malicious POST request to the vulnerable endpoint, allowing command execution on the server and potential full compromise, such as unauthorized access to sensitive data, system modification, or disruption of services.

INCIBE-CERT has issued an advisory on multiple vulnerabilities in AndSoft's e-TMS, including CVE-2025-59736, available at https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms. Practitioners should consult this notice for details on available updates, patches, and mitigation recommendations.