{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2019-25671/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2019-25671"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["rce","cve-2019-25671","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eVA MAX 8.3.4 is susceptible to a remote code execution (RCE) vulnerability identified as CVE-2019-25671. This vulnerability allows authenticated attackers to inject shell metacharacters into the \u003ccode\u003emtu_eth0\u003c/code\u003e parameter, leading to arbitrary command execution. The attack vector involves sending crafted POST requests to the \u003ccode\u003echangeip.php\u003c/code\u003e endpoint. Successful exploitation grants the attacker the ability to execute commands as the \u003ccode\u003eapache\u003c/code\u003e user. This vulnerability poses a significant risk to organizations using the affected VA MAX version, as it can lead to complete system compromise. Given the ease of exploitation and the potential for significant impact, defenders need to prioritize detection and mitigation efforts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the VA MAX 8.3.4 web interface using valid credentials.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious POST request targeting the \u003ccode\u003echangeip.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003emtu_eth0\u003c/code\u003e parameter containing shell metacharacters and the desired command for execution.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003echangeip.php\u003c/code\u003e script processes the \u003ccode\u003emtu_eth0\u003c/code\u003e parameter without proper sanitization or validation.\u003c/li\u003e\n\u003cli\u003eThe injected shell metacharacters are interpreted by the system, leading to command execution.\u003c/li\u003e\n\u003cli\u003eThe attacker-supplied command is executed with the privileges of the \u003ccode\u003eapache\u003c/code\u003e user.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the system, potentially installing malware, exfiltrating data, or performing other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2019-25671 allows an attacker to execute arbitrary commands on the affected VA MAX 8.3.4 system. This can lead to complete system compromise, data theft, and disruption of services. If VA MAX manages critical infrastructure, this vulnerability could have significant real-world consequences. Given the publicly available exploit code, the risk of widespread exploitation is high.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003echangeip.php\u003c/code\u003e containing shell metacharacters in the \u003ccode\u003emtu_eth0\u003c/code\u003e parameter using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eApply appropriate input validation and sanitization to the \u003ccode\u003emtu_eth0\u003c/code\u003e parameter within the \u003ccode\u003echangeip.php\u003c/code\u003e script.\u003c/li\u003e\n\u003cli\u003eConsider upgrading to a patched version of VA MAX that addresses CVE-2019-25671.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a compromised VA MAX system.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong password policies to prevent unauthorized access to the VA MAX web interface.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious processes spawned by the \u003ccode\u003eapache\u003c/code\u003e user, which could indicate successful exploitation of the RCE vulnerability using the Sigma rule \u003ccode\u003eDetect Suspicious Processes Spawned by Apache\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T21:16:44Z","date_published":"2026-04-05T21:16:44Z","id":"/briefs/2026-04-va-max-rce/","summary":"VA MAX 8.3.4 is vulnerable to remote code execution (CVE-2019-25671), allowing authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the mtu_eth0 parameter via a POST request to changeip.php.","title":"VA MAX 8.3.4 Remote Code Execution via changeip.php (CVE-2019-25671)","url":"https://feed.craftedsignal.io/briefs/2026-04-va-max-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2019-25671","version":"https://jsonfeed.org/version/1.1"}