LiveActive security incident?Get immediate response
CVE Record

CVE-2019-25289: INIM Electronics SmartLiving SmartLAN/G/SI <=6.x Remote Command Execution

SmartLiving SmartLAN <=6.x contains an authenticated remote command injection vulnerability in the web.cgi binary through the 'par' POST parameter with the 'testemail' module. Attackers can exploit the unsanitized parameter and system() function call to execute arbitrary system commands with root privileges using default credentials.

HighCVSS 8.8Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

This issue affects INIM SmartLiving SmartLAN/G/SI alarm-network modules running version 6.x or earlier. An authenticated attacker, especially where default credentials remain in use, can execute commands on the device as root. For executives, the concern is compromise of security-alarm infrastructure, not just an IT server.

Executive priority

Treat as a high-priority exposure review for physical security infrastructure. Prioritize internet-facing or remotely managed alarm systems, then sites using default credentials. If no vendor-supported update is available, reduce network exposure and consider replacement planning for affected devices.

Technical view

CVE-2019-25289 is an authenticated OS command injection in SmartLiving SmartLAN web.cgi. The reported vulnerable path uses the testemail module and an unsanitized POST parameter passed to system(), enabling root-level command execution. CVSS is 8.8. Public exploit references exist, but the provided sources do not establish active exploitation.

Likely exposure

Exposure is most likely where SmartLAN/G/SI management interfaces are reachable over a network and still use default or weak credentials. Internet-exposed devices would carry higher risk. Organizations using listed SmartLiving models should assume possible exposure until firmware version, credential state, and management access paths are verified.

Exploitation context

The vulnerability requires authentication but low attack complexity and no user interaction. The source bundle specifically notes exploitation using default credentials. Public exploit entries are listed by Exploit-DB and Packet Storm, increasing practical risk, but CISA KEV status is false and no provided source confirms active exploitation.

Researcher notes

Evidence comes from CVE metadata and third-party advisories. The record identifies CWE-78 and root command execution through web.cgi. Public exploit references exist, but this analysis does not validate exploit reliability. Patch availability is not stated in the provided sources, so remediation should be tied to current INIM guidance.

Mitigation direction

  • Identify all INIM SmartLiving SmartLAN/G/SI devices and firmware versions.
  • Remove management interfaces from internet exposure and untrusted networks.
  • Change default credentials and enforce unique strong passwords.
  • Restrict access to management interfaces using network controls.
  • Check INIM guidance for supported firmware updates or replacement options.
  • Monitor affected devices for unexpected configuration changes or outages.

Validation and detection

  • Inventory SmartLiving models 505, 515, 1050, 1050/G3, 10100L, and 10100L/G3.
  • Confirm whether firmware is version 6.x or earlier.
  • Verify no device uses default credentials.
  • Review firewall rules for exposed management interfaces.
  • Check logs for unusual authenticated administrative activity.
  • Document vendor guidance, patch status, or compensating controls.
Prepared
Confidence
medium
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-78: Command execution behavior lookup

Command injection weaknesses can lead defenders to review execution techniques and command interpreter telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2019-25289 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.8 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
7Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.8CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H2.85.9Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

8.8High
CVSS 3.1 vector shape for CVE-2019-25289Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
INIM Electronics s.r.l.SmartLiving SmartLAN/G/SI<=6.0, 505, 515, 1050, 1050/G3, 10100L, 10100L/G3Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-78 · source CWE mapping

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.