CVE-2019-25243
Unknown Unknown - Not Provided
Authenticated Remote Command Injection in FaceSentry 6.4.8 Scripts

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: VulnCheck

Description
FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php scripts. Attackers can exploit unsanitized input parameters to inject and execute arbitrary shell commands with root privileges by manipulating the 'strInIP' and 'strInPort' parameters.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-06-16
AI Q&A
2025-12-24
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25243
EUVD
EUVD-2025-205320
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
iwt facesentry 6.4.8
iwt facesentry 5.7.2
iwt facesentry 5.7.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

FaceSentry version 6.4.8 contains an authenticated remote command injection vulnerability in the PHP scripts pingTest.php and tcpPortTest.php. Attackers who have valid credentials can exploit unsanitized input parameters ('strInIP' and 'strInPort') to inject and execute arbitrary shell commands with root privileges. This happens because these parameters are directly passed to system or exec calls without proper validation, allowing an attacker to run commands as the root user on the device. [1, 2]

Impact Analysis

This vulnerability allows an authenticated attacker to execute arbitrary commands with root privileges on the FaceSentry device. This means the attacker can fully control the system, potentially leading to unauthorized access, data theft, system manipulation, or disruption of the access control system. Since the device manages biometric identity and access control, exploitation could compromise physical security and sensitive user data. [1, 2]

Detection Guidance

This vulnerability can be detected by testing the vulnerable PHP scripts 'pingTest.php' and 'tcpPortTest.php' for command injection via the POST parameters 'strInIP' and 'strInPort'. For example, sending authenticated POST requests with injected shell commands such as appending ';sudo id' or using backticks to execute 'sudo id' in these parameters can reveal if arbitrary commands are executed with root privileges. Monitoring for unexpected command execution or creation of files containing root user IDs after such tests can confirm exploitation. Specific commands involve crafting POST requests to these scripts with payloads that attempt to execute shell commands. Since the vulnerability requires authentication, testing should be done with valid credentials. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable scripts 'pingTest.php' and 'tcpPortTest.php' to trusted users only, disabling or removing these scripts if not needed, and changing default credentials to strong, unique passwords to prevent unauthorized authentication. Additionally, monitoring and logging access to these scripts can help detect exploitation attempts. Applying any available patches or updates from the vendor that address input sanitization issues is recommended once available. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25243. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart