CVE-2019-25289

HIGH

SmartLiving SmartLAN <=6.x - Command Injection

Title source: llm

Description

SmartLiving SmartLAN <=6.x contains an authenticated remote command injection vulnerability in the web.cgi binary through the 'par' POST parameter with the 'testemail' module. Attackers can exploit the unsanitized parameter and system() function call to execute arbitrary system commands with root privileges using default credentials.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappshardware

https://www.exploit-db.com/exploits/47765

View Code ZIP pw:eip

References (6)

[Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5544.php

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/47765

[Exploit, Third Party Advisory] https://packetstormsecurity.com/files/155616

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/172840

[Various Sources] https://www.inim.biz/

[Issue Tracking] https://cxsecurity.com/issue/WLB-2019120046

Scores

CVSS v3 8.8

EPSS 0.0043

EPSS Percentile 62.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (7)

INIM Electronics s.r.l./SmartLiving SmartLAN/G/SI 10100L

INIM Electronics s.r.l./SmartLiving SmartLAN/G/SI 10100L/G3

INIM Electronics s.r.l./SmartLiving SmartLAN/G/SI 1050

INIM Electronics s.r.l./SmartLiving SmartLAN/G/SI 1050/G3

INIM Electronics s.r.l./SmartLiving SmartLAN/G/SI 505

INIM Electronics s.r.l./SmartLiving SmartLAN/G/SI 515

INIM Electronics s.r.l./SmartLiving SmartLAN/G/SI <=6.0

Published Jan 08, 2026

Tracked Since Feb 18, 2026