CVE-2019-25289
Unknown Unknown - Not Provided
Authenticated Remote Command Injection in SmartLiving SmartLAN Web.cgi

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: VulnCheck

Description
SmartLiving SmartLAN <=6.x contains an authenticated remote command injection vulnerability in the web.cgi binary through the 'par' POST parameter with the 'testemail' module. Attackers can exploit the unsanitized parameter and system() function call to execute arbitrary system commands with root privileges using default credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-14
NVD
CVE-2019-25289
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
inim_electronics smartliving_smartlan to 6.x (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an authenticated remote command injection in the SmartLiving SmartLAN 6.x system's web.cgi binary, specifically in the 'testemail' module. The 'par' POST parameter is not properly sanitized before being passed to a system() function call that executes a shell command using the mailx service. Attackers who have authenticated access using default credentials can inject arbitrary system commands via this parameter, which are then executed with root privileges on the device. This allows them to gain full control over the affected system remotely. [2, 3, 4]

Impact Analysis

Exploitation of this vulnerability allows an attacker with authenticated access (using default or known credentials) to execute arbitrary commands on the affected device with root privileges. This means the attacker can take full control of the device remotely, potentially compromising the security system, accessing sensitive data, disrupting operations, or using the device as a foothold for further attacks within the network. [2, 3, 4]

Detection Guidance

This vulnerability can be detected by attempting to send an authenticated POST request to the /cgi-bin/web.cgi endpoint with the parameters mod=testemail and par containing a command injection payload. For example, using curl to test command injection: curl -sik http://<target_ip>/cgi-bin/web.cgi -X POST --data "mod=testemail&par=;/sbin/ifconfig" --cookie "user=admin;pass=pass;code=9999". If the command executes and returns output (like network interface details), the system is vulnerable. This method requires valid credentials (default or known). Monitoring for unusual POST requests to /cgi-bin/web.cgi with suspicious 'par' parameter values can also help detect exploitation attempts. [2, 3]

Mitigation Strategies

Immediate mitigation steps include changing default credentials to strong, unique passwords to prevent unauthorized authenticated access, restricting network access to the affected device's web interface to trusted hosts only, and disabling or restricting the 'testemail' module if possible. Applying any available vendor patches or updates that fix the input sanitization issue in the web.cgi binary is critical. Additionally, monitoring logs for suspicious POST requests to /cgi-bin/web.cgi and blocking malicious traffic can help reduce risk until a patch is applied. [2, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25289. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart