CVE-2019-25243

FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php scripts. Attackers can exploit unsanitized input parameters to inject and execute arbitrary shell commands with root privileges by manipulating the 'strInIP' and 'strInPort' paramete...

high 8.8 CVSS 3.1
Published: Dec 24, 2025
Modified: Dec 30, 2025
Vendor: Iwt
Product: Facesentry Access Control System Firmware
Versions: 5.7.0,5.7.2,6.4.8

Description

FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php scripts. Attackers can exploit unsanitized input parameters to inject and execute arbitrary shell commands with root privileges by manipulating the 'strInIP' and 'strInPort' parameters.

References

Related CVEs

CVE-2019-25242 medium · 4.3
FaceSentry Access Control System 6.4.8 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers c
CVE-2019-25241 critical · 9.8
FaceSentry Access Control System 6.4.8 contains a critical authentication vulnerability with hard-coded SSH credentials for the wwwuser account. Attackers can leverage the insecure