CVE-2025-59741

CVE-2025-59741 is an operating system command injection vulnerability (CWE-77, CWE-78) affecting AndSoft's e-TMS version 25.03. The flaw resides in the handling of the 'm' parameter within the '/CLT/LOGINERRORFRM.ASP' endpoint, where unsanitized input from a POST request enables arbitrary command execution on the server. Assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it represents critical risk due to its high impact on confidentiality, integrity, and availability.

The vulnerability can be exploited remotely over the network by unauthenticated attackers with no privileges or user interaction required. By crafting a malicious POST request to the affected endpoint, an attacker can inject and execute arbitrary operating system commands on the server, potentially leading to full system compromise, data exfiltration, persistence, or further lateral movement within the environment.

INCIBE-CERT has issued an advisory detailing multiple vulnerabilities in AndSoft's e-TMS, including this one, under notice "update-24092025-multiple-vulnerabilities-andsofts-e-tms," recommending updates to mitigate the risks. Security practitioners should verify patch availability from the vendor and apply them promptly, alongside input validation and network segmentation as interim controls.