NetGain EM Plus 10.1.68 Remote Code Execution via script_test.jsp

The impact of CVE-2019-25468 is severe. An attacker can exploit this vulnerability to execute arbitrary code on the server hosting NetGain EM Plus, effectively gaining complete control of the system. This could involve data theft, modification, or deletion, as well as the installation of malware or the use of the compromised system as a launchpad for further attacks against the internal network. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors. This vulnerability shares similarities with other web application vulnerabilities where improper input validation allows for command injection.

Organizations utilizing NetGain EM Plus for email management, particularly those running vulnerable versions 10.1.68–10.1.68, are at significant risk. Shared hosting environments where multiple users share the same server are especially vulnerable, as a compromised account could potentially be used to exploit this vulnerability.

• windows / other: Monitor NetGain EM Plus server logs for POST requests to script_test.jsp with unusual or suspicious content in the 'content' parameter. Use Sysinternals tools like Process Monitor to observe process creation and command-line arguments. • linux / server: Monitor system logs (e.g., /var/log/syslog, /var/log/auth.log) for unusual process executions or command-line activity related to the NetGain EM Plus installation directory. Use auditd to track file access and modifications. • generic web: Use curl or wget to test the script_test.jsp endpoint with a benign POST request and verify that it does not execute arbitrary commands. Examine response headers for unexpected content or errors.

1. 2026-03-11Disclosure

   disclosure

1. Reserviert2026-02-22
2. Veröffentlicht2026-03-11
3. Geändert2026-04-07
4. EPSS aktualisiert2026-03-23

The primary mitigation for CVE-2019-25468 is to upgrade NetGain EM Plus to a patched version as soon as possible. If immediate patching is not feasible, consider implementing temporary workarounds such as restricting access to the scripttest.jsp endpoint through a Web Application Firewall (WAF) or proxy server. Configure the WAF to block POST requests to this endpoint or to validate the 'content' parameter to prevent malicious commands from being executed. Thoroughly review and harden the NetGain EM Plus configuration to minimize the attack surface. After upgrading, confirm the vulnerability is resolved by attempting to access the scripttest.jsp endpoint with a benign POST request and verifying that no system commands are executed.