CVE-2019-9189

HIGH

Prima Systems FlexAir < 2.3.38 - Authenticated Arbitrary File Upload and Remote Code Execution via Python Script Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-9189. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates an authenticated arbitrary file upload vulnerability in Prima Access Control 2.3.35, allowing an attacker to upload a Python script that reads `/etc/passwd` and executes system commands, writing the output to a web-accessible file.

Description

Prima Systems FlexAir, Versions 2.4.9api3 and prior. The application allows the upload of arbitrary Python scripts when configuring the main central controller. These scripts can be immediately executed because of root code execution, not as a web server user, allowing an authenticated attacker to gain full system access.

Exploits (1)

exploitdb WORKING POC
by LiquidWorm · textwebappshardware
https://www.exploit-db.com/exploits/47634

This exploit demonstrates an authenticated arbitrary file upload vulnerability in Prima Access Control 2.3.35, allowing an attacker to upload a Python script that reads `/etc/passwd` and executes system commands, writing the output to a web-accessible file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Prima Access Control 2.3.35
Auth required
Prerequisites: Authenticated session · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory x_refsource_misc
https://applied-risk.com/labs/advisories
Third Party Advisory x_refsource_misc
https://applied-risk.com/resources/ar-2019-007

Scores

CVSS v3 8.8
EPSS 0.1163
EPSS Percentile 95.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (1)
primasystems/flexair < 2.3.38
Published Jun 05, 2019
Tracked Since Feb 18, 2026