CVE-2025-59738
Published: 02 October 2025
Description
Adversaries may abuse the Windows command shell for execution.
Security Summary
CVE-2025-59738 is an operating system command injection vulnerability (CWE-77, CWE-78) affecting AndSoft's e-TMS version 25.03. The flaw exists in the handling of the 'm' parameter within the '/clt/LOGINFRM_BET.ASP' endpoint, where unsanitized input from a POST request can lead to arbitrary command execution on the server. This critical issue carries a CVSS v3.1 base score of 9.8, reflecting its high severity due to network accessibility, low attack complexity, and lack of prerequisites.
The vulnerability can be exploited remotely by any unauthenticated attacker (PR:N) over the network (AV:N) with no user interaction required (UI:N). Successful exploitation allows execution of arbitrary operating system commands on the affected server, potentially granting high-impact confidentiality (C:H), integrity (I:H), and availability (A:H) compromises, such as data theft, modification, or full system takeover, all within the unchanged security scope (S:U).
INCIBE-CERT has published an advisory detailing this and other vulnerabilities in AndSoft's e-TMS, available at https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms, which security practitioners should consult for mitigation guidance, including any recommended updates or workarounds.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a command injection in a public-facing ASP web endpoint, enabling remote unauthenticated exploitation of a public-facing application (T1190) and arbitrary OS command execution via Windows Command Shell (T1059.003).