CVE-2019-25289
Authenticated Remote Command Injection in SmartLiving SmartLAN Web.cgi
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| inim_electronics | smartliving_smartlan | to 6.x (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authenticated remote command injection in the SmartLiving SmartLAN 6.x system's web.cgi binary, specifically in the 'testemail' module. The 'par' POST parameter is not properly sanitized before being passed to a system() function call that executes a shell command using the mailx service. Attackers who have authenticated access using default credentials can inject arbitrary system commands via this parameter, which are then executed with root privileges on the device. This allows them to gain full control over the affected system remotely. [2, 3, 4]
How can this vulnerability impact me? :
Exploitation of this vulnerability allows an attacker with authenticated access (using default or known credentials) to execute arbitrary commands on the affected device with root privileges. This means the attacker can take full control of the device remotely, potentially compromising the security system, accessing sensitive data, disrupting operations, or using the device as a foothold for further attacks within the network. [2, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to send an authenticated POST request to the /cgi-bin/web.cgi endpoint with the parameters mod=testemail and par containing a command injection payload. For example, using curl to test command injection: curl -sik http://<target_ip>/cgi-bin/web.cgi -X POST --data "mod=testemail&par=;/sbin/ifconfig" --cookie "user=admin;pass=pass;code=9999". If the command executes and returns output (like network interface details), the system is vulnerable. This method requires valid credentials (default or known). Monitoring for unusual POST requests to /cgi-bin/web.cgi with suspicious 'par' parameter values can also help detect exploitation attempts. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include changing default credentials to strong, unique passwords to prevent unauthorized authenticated access, restricting network access to the affected device's web interface to trusted hosts only, and disabling or restricting the 'testemail' module if possible. Applying any available vendor patches or updates that fix the input sanitization issue in the web.cgi binary is critical. Additionally, monitoring logs for suspicious POST requests to /cgi-bin/web.cgi and blocking malicious traffic can help reduce risk until a patch is applied. [2, 4]