CVE-2019-25243
Authenticated Remote Command Injection in FaceSentry 6.4.8 Scripts
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iwt | facesentry | 6.4.8 |
| iwt | facesentry | 5.7.2 |
| iwt | facesentry | 5.7.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
FaceSentry version 6.4.8 contains an authenticated remote command injection vulnerability in the PHP scripts pingTest.php and tcpPortTest.php. Attackers who have valid credentials can exploit unsanitized input parameters ('strInIP' and 'strInPort') to inject and execute arbitrary shell commands with root privileges. This happens because these parameters are directly passed to system or exec calls without proper validation, allowing an attacker to run commands as the root user on the device. [1, 2]
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to execute arbitrary commands with root privileges on the FaceSentry device. This means the attacker can fully control the system, potentially leading to unauthorized access, data theft, system manipulation, or disruption of the access control system. Since the device manages biometric identity and access control, exploitation could compromise physical security and sensitive user data. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the vulnerable PHP scripts 'pingTest.php' and 'tcpPortTest.php' for command injection via the POST parameters 'strInIP' and 'strInPort'. For example, sending authenticated POST requests with injected shell commands such as appending ';sudo id' or using backticks to execute 'sudo id' in these parameters can reveal if arbitrary commands are executed with root privileges. Monitoring for unexpected command execution or creation of files containing root user IDs after such tests can confirm exploitation. Specific commands involve crafting POST requests to these scripts with payloads that attempt to execute shell commands. Since the vulnerability requires authentication, testing should be done with valid credentials. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable scripts 'pingTest.php' and 'tcpPortTest.php' to trusted users only, disabling or removing these scripts if not needed, and changing default credentials to strong, unique passwords to prevent unauthorized authentication. Additionally, monitoring and logging access to these scripts can help detect exploitation attempts. Applying any available patches or updates from the vendor that address input sanitization issues is recommended once available. [1, 2]