CVE-2019-25289 | THREATINT

Description

SmartLiving SmartLAN <=6.x contains an authenticated remote command injection vulnerability in the web.cgi binary through the 'par' POST parameter with the 'testemail' module. Attackers can exploit the unsanitized parameter and system() function call to execute arbitrary system commands with root privileges using default credentials.

PUBLISHED Reserved 2026-01-06 | Published 2026-01-07 | Updated 2026-01-08 | Assigner VulnCheck

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

<=6.x

affected

505

affected

515

affected

1050

affected

1050/G3

affected

10100L

affected

10100L/G3

affected

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5544.php (Zero Science Lab Vulnerability Advisory) third-party-advisory

www.exploit-db.com/exploits/47765 (Exploit Database Entry 47765) exploit

packetstormsecurity.com/files/155616 (Packet Storm Security Exploit File) exploit

cxsecurity.com/issue/WLB-2019120046 (CXSecurity Vulnerability Issue) third-party-advisory

exchange.xforce.ibmcloud.com/vulnerabilities/172840 (IBM X-Force Vulnerability Exchange Entry) vdb-entry

www.inim.biz/ (Inim Vendor Homepage) product

cve.org (CVE-2019-25289)

nvd.nist.gov (CVE-2019-25289)

Download JSON