CVE-2019-25024

CRITICAL

OpenRepeater <2.2 - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-25024. PoCs published by CodeSecLab, codexlynx.

AI-analyzed exploit summary This exploit demonstrates an OS command injection vulnerability in OpenRepeater before version 2.2. It sends a crafted POST request to the vulnerable endpoint, executing an arbitrary command (e.g., 'id') via the 'post_service' parameter.

Description

OpenRepeater (ORP) before 2.2 allows unauthenticated command injection via shell metacharacters in the functions/ajax_system.php post_service parameter.

Exploits (2)

exploitdb WORKING POC

by CodeSecLab · textwebappsphp

https://www.exploit-db.com/exploits/52452

View Code ZIP pw:eip

This exploit demonstrates an OS command injection vulnerability in OpenRepeater before version 2.2. It sends a crafted POST request to the vulnerable endpoint, executing an arbitrary command (e.g., 'id') via the 'post_service' parameter.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: OpenRepeater 2.1

No auth needed

Prerequisites: Network access to the target · Vulnerable endpoint exposed

MITRE ATT&CK

T1202 - Indirect Command Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by codexlynx · poc

https://github.com/codexlynx/CVE-2019-25024

View Code ZIP pw:eip

The repository contains a functional Python exploit for CVE-2019-25024, an unauthenticated command injection vulnerability in OpenRepeater (ORP) versions 2.0.x. The exploit sends a crafted POST request to the vulnerable endpoint, injecting a command via the 'post_service' parameter.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: OpenRepeater (ORP) 2.0.x

No auth needed

Prerequisites: Network access to the target · Vulnerable version of OpenRepeater (ORP)

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Various Sources

https://github.com/MarkLee131/awesome-web-pocs/blob/main/CVE-2019-25024.md

View Writeup ZIP pw:eip

Exploit, Third Party Advisory

https://github.com/OpenRepeater/openrepeater/issues/66

Third Party Advisory

https://github.com/codexlynx/CVE-2019-25024

Scores

CVSS v3 9.8

EPSS 0.6257

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

alleghenycreative/openrepeater < 2.2

Published Feb 19, 2021

Tracked Since Feb 18, 2026