8.3.5
CVE-2019-25671 describes a remote code execution (RCE) vulnerability present in VA MAX versions 8.3.4. An authenticated attacker can exploit this flaw by injecting shell metacharacters into the mtu_eth0 parameter within the changeip.php endpoint, allowing them to execute arbitrary commands on the system. This vulnerability poses a significant risk to systems running affected versions of VA MAX, and a patch is required to remediate the issue.
Successful exploitation of CVE-2019-25671 allows an attacker to execute arbitrary commands on the VA MAX server with the privileges of the Apache user. This could lead to complete system compromise, including data exfiltration, malware installation, and denial of service. The attacker would need to be authenticated to the system to exploit this vulnerability. Given the potential for full system control, the blast radius is significant, potentially impacting all services and data hosted on the affected server. While no direct precedent is immediately obvious, the injection of shell metacharacters to achieve RCE is a common attack vector, and similar vulnerabilities have been exploited in other web applications.
CVE-2019-25671 was published on 2026-04-05. The EPSS score is currently unavailable, but given the RCE nature of the vulnerability and the ease of exploitation (requiring only authentication), it is likely to be assessed as medium or high probability. Public proof-of-concept exploits are likely to exist or emerge given the vulnerability's nature and the time elapsed since publication. Check NVD and CISA for updates on exploitation activity.
Exploit Status
EPSS
0.41% (61% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2019-25671 is to upgrade VA MAX to a patched version. Unfortunately, the input does not specify a fixed version. If upgrading is not immediately feasible, consider implementing temporary workarounds. Input validation on the mtu_eth0 parameter in the changeip.php endpoint is crucial; strictly limit allowed characters and sanitize any user-supplied input. A Web Application Firewall (WAF) can be configured to block requests containing suspicious shell metacharacters. Monitor access logs for unusual activity related to the changeip.php endpoint. After upgrading, confirm the vulnerability is resolved by attempting to send a malicious payload to the changeip.php endpoint and verifying that the command is not executed.
Update to a patched version of VA MAX that addresses the remote code execution vulnerability. Refer to the vendor's documentation for specific upgrade instructions. As a temporary measure, restrict access to the changeip.php file and strictly validate the input of the mtu_eth0 parameter.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-25671 is a remote code execution vulnerability in VA MAX version 8.3.4 that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters.
If you are running VA MAX version 8.3.4, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of VA MAX. If upgrading is not immediately possible, implement input validation and WAF rules as temporary mitigations.
While there is no confirmed widespread exploitation, the vulnerability's nature and the time elapsed since publication suggest that exploitation is possible and should be considered a risk.
Refer to the VA MAX website or security mailing lists for the official advisory related to CVE-2019-25671.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.