FaceSentry 6.4.8 Authenticated Remote Command Injection via Ping Test

Advisories

severity: high
date: December 24, 2025
Affecting: FaceSentry Access Control System 6.4.8 build 264, 5.7.2 build 568, 5.7.0 build 539
CVE: CVE-2019-25243
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-47064
Official Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5523)
Credit: LiquidWorm as Gjoko Krstic of Zero Science Lab
Description: FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php scripts. Attackers can exploit unsanitized input parameters to inject and execute arbitrary shell commands with root privileges by manipulating the 'strInIP' and 'strInPort' parameters.