CVE-2019-25243

HIGH

FaceSentry 6.4.8 - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25243. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates an authenticated OS command injection vulnerability in FaceSentry Access Control System versions 6.4.8 and earlier. The vulnerability allows arbitrary command execution as root via the 'strInIP' and 'strInPort' parameters in pingTest.php and tcpPortTest.php.

Description

FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php scripts. Attackers can exploit unsanitized input parameters to inject and execute arbitrary shell commands with root privileges by manipulating the 'strInIP' and 'strInPort' parameters.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappshardware

https://www.exploit-db.com/exploits/47064

View Code ZIP pw:eip

This exploit demonstrates an authenticated OS command injection vulnerability in FaceSentry Access Control System versions 6.4.8 and earlier. The vulnerability allows arbitrary command execution as root via the 'strInIP' and 'strInPort' parameters in pingTest.php and tcpPortTest.php.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: FaceSentry Access Control System 6.4.8 build 264, 5.7.2 build 568, 5.7.0 build 539

Auth required

Prerequisites: Authenticated session with default credentials · Network access to the target system

MITRE ATT&CK

T1202 - Indirect Command Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory, VDB Entry exploit

https://www.exploit-db.com/exploits/47064

Product product

http://www.iwt.com.hk

Exploit, Third Party Advisory third-party-advisory

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5523.php

Scores

CVSS v3 8.8

EPSS 0.0232

EPSS Percentile 81.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (3)

iwt/facesentry_access_control_system_firmware 5.7.0

iwt/facesentry_access_control_system_firmware 5.7.2

iwt/facesentry_access_control_system_firmware 6.4.8

Published Dec 24, 2025

Tracked Since Feb 18, 2026