CVE-2019-25289

Summary

SmartLiving SmartLAN <=6.x contains an authenticated remote command injection vulnerability in the web.cgi binary through the 'par' POST parameter with the 'testemail' module. Attackers can exploit the unsanitized parameter and system() function call to execute arbitrary system commands with root privileges using default credentials.

Affected Software

VendorProductVersion RangeStatus
INIM Electronics s.r.l.SmartLiving SmartLAN/G/SI<=6.0affected
INIM Electronics s.r.l.SmartLiving SmartLAN/G/SI505affected
INIM Electronics s.r.l.SmartLiving SmartLAN/G/SI515affected
INIM Electronics s.r.l.SmartLiving SmartLAN/G/SI1050affected
INIM Electronics s.r.l.SmartLiving SmartLAN/G/SI1050/G3affected
INIM Electronics s.r.l.SmartLiving SmartLAN/G/SI10100Laffected
INIM Electronics s.r.l.SmartLiving SmartLAN/G/SI10100L/G3affected

Weaknesses

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References