CVE-2025-59739
Published: 02 October 2025
Description
Adversaries may abuse the Windows command shell for execution.
Security Summary
CVE-2025-59739 is an operating system command injection vulnerability (CWE-77, CWE-78) in AndSoft's e-TMS version 25.03. The issue arises from improper handling of the 'm' parameter in the '/clt/LOGINFRM_original.ASP' endpoint, where an attacker can inject and execute arbitrary operating system commands on the server via a specially crafted POST request.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is highly severe and remotely exploitable over the network with low complexity. Unauthenticated attackers require no privileges or user interaction to trigger it, achieving high-impact effects on confidentiality, integrity, and availability through arbitrary command execution on the server.
The INCIBE-CERT advisory provides details on this and other vulnerabilities in AndSoft's e-TMS, available at https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a command injection in a public-facing web application endpoint, directly enabling T1190 (Exploit Public-Facing Application) for unauthenticated RCE and facilitating T1059.003 (Windows Command Shell) via arbitrary OS command execution on the server.