CVE-2025-59740
Published: 02 October 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2025-59740 is an operating system command injection vulnerability (CWE-77, CWE-78) in AndSoft's e-TMS version 25.03. The issue stems from improper handling of the 'm' parameter in the '/clt/LOGINFRM_CAT.ASP' endpoint, enabling attackers to execute arbitrary operating system commands on the server through a specially crafted POST request. Published on 2025-10-02, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.
The vulnerability can be exploited by any unauthenticated attacker with network access, requiring low complexity and no user interaction. By sending a malicious POST request targeting the vulnerable parameter, the attacker achieves remote code execution on the server, with potential for high-impact compromise across confidentiality, integrity, and availability.
Mitigation guidance is available in the INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms, which addresses this and other vulnerabilities in AndSoft's e-TMS.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE enables unauthenticated RCE via command injection in a public-facing web application endpoint, directly mapping to T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter).