CVE-2019-25243

HIGH

FaceSentry 6.4.8 - Command Injection

Title source: llm

Description

FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php scripts. Attackers can exploit unsanitized input parameters to inject and execute arbitrary shell commands with root privileges by manipulating the 'strInIP' and 'strInPort' parameters.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappshardware

https://www.exploit-db.com/exploits/47064

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/47064

[Product] http://www.iwt.com.hk

[Exploit, Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5523.php

Scores

CVSS v3 8.8

EPSS 0.0115

EPSS Percentile 78.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (3)

iwt/facesentry_access_control_system_firmware 5.7.0

iwt/facesentry_access_control_system_firmware 5.7.2

iwt/facesentry_access_control_system_firmware 6.4.8

Published Dec 24, 2025

Tracked Since Feb 18, 2026