CVE-2019-9189

HIGH

Primasystems Flexair < 2.3.38 - Unrestricted File Upload

Title source: rule

Description

Prima Systems FlexAir, Versions 2.4.9api3 and prior. The application allows the upload of arbitrary Python scripts when configuring the main central controller. These scripts can be immediately executed because of root code execution, not as a web server user, allowing an authenticated attacker to gain full system access.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappshardware

https://www.exploit-db.com/exploits/47634

View Code ZIP pw:eip

References (5)

[Third Party Advisory] https://applied-risk.com/labs/advisories

[Third Party Advisory] https://applied-risk.com/index.php/download_file/view/199/165

[Third Party Advisory] https://applied-risk.com/resources/ar-2019-007

[Various Sources] https://www.us-cert.gov/ics/advisories/icsa-19-211-02

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/155273/Prima-Access-Control-2.3.35-Script-Upload-Remote-Code-Execution.html

Scores

CVSS v3 8.8

EPSS 0.2000

EPSS Percentile 95.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

primasystems/flexair < 2.3.38

Published Jun 05, 2019

Tracked Since Feb 18, 2026