CVE-2019-25243

Summary

FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php scripts. Attackers can exploit unsanitized input parameters to inject and execute arbitrary shell commands with root privileges by manipulating the 'strInIP' and 'strInPort' parameters.

Affected Software

VendorProductVersion RangeStatus
iWT Ltd.FaceSentry Access Control System6.4.8 build 264affected
iWT Ltd.FaceSentry Access Control System5.7.2 build 568affected
iWT Ltd.FaceSentry Access Control System5.7.0 build 539affected

Weaknesses

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

Additional References

References