CVE-2019-25671

CVSS v3.1

8.8

High

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

VA MAX 8.3.4 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the mtu eth0 parameter. Attackers can send POST requests to the changeip.php endpoint with malicious payload in the mtu eth0 field to execute commands as the apache user.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2019-25671

Affected Products

Va Max

CVE-2019-25671

Weakness Enumeration

Related Identifiers

Affected Products

References · 3