INIM Electronics SmartLiving SmartLAN/G/SI <=6.x Remote Command Execution

Advisories

severity: high
date: January 7, 2026
Affecting: SmartLiving SmartLAN/G/SI <=6.x, 505, 515, 1050, 1050/G3, 10100L, 10100L/G3
CVE: CVE-2019-25289
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: Zero Science Lab Vulnerability Advisory
Exploit Database Entry 47765
Packet Storm Security Exploit File
CXSecurity Vulnerability Issue
IBM X-Force Vulnerability Exchange Entry
Inim Vendor Homepage
Credit: LiquidWorm as Gjoko Krstic of Zero Science Lab
Description: SmartLiving SmartLAN <=6.x contains an authenticated remote command injection vulnerability in the web.cgi binary through the 'par' POST parameter with the 'testemail' module. Attackers can exploit the unsanitized parameter and system() function call to execute arbitrary system commands with root privileges using default credentials.