CVE-2019-19994 – CVE-2019-19994 is a critical command injection ... (How to Fix)

Q: What is the severity of CVE-2019-19994?

CVE-2019-19994 has a CVSS score of 9.8 (CRITICAL). CVE-2019-19994 is a critical command injection vulnerability in Selesta Visual Access Manager (VAM) that allows unauthenticated attackers to execute arbitrary operating system commands on affected systems. This affects VAM versions 4.15.0 through 4.29. Organizations using these versions are at risk of complete system compromise.

📋 TL;DR

CVE-2019-19994 is a critical command injection vulnerability in Selesta Visual Access Manager (VAM) that allows unauthenticated attackers to execute arbitrary operating system commands on affected systems. This affects VAM versions 4.15.0 through 4.29. Organizations using these versions are at risk of complete system compromise.

💻 Affected Systems

Products:

Selesta Visual Access Manager (VAM)

Versions: 4.15.0 through 4.29

Operating Systems: Any OS running VAM (typically Linux-based)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerable PHP page /common/vam_monitor_sap.php is accessible without authentication by default.

📦 What is this software?

Visual Access Manager by Seling

View all CVEs affecting Visual Access Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise leading to data theft, lateral movement, ransomware deployment, and persistent backdoor installation across the network.

🟠

Likely Case

Initial foothold leading to privilege escalation, credential harvesting, and deployment of additional malware or persistence mechanisms.

🟢

If Mitigated

Limited impact if proper network segmentation, web application firewalls, and monitoring are in place to detect and block exploitation attempts.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable without authentication via a PHP web page, making internet-facing instances extremely vulnerable to automated attacks.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to insider threats or attackers who gain initial network access through other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is well-documented with public proof-of-concept code available. Attackers can easily automate exploitation due to the unauthenticated nature and simple command injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 4.30 or later

Vendor Advisory: https://www.seling.it/

Restart Required: Yes

Instructions:

1. Download the latest VAM version from Selesta's official website. 2. Backup current configuration and data. 3. Install the updated version following vendor documentation. 4. Restart the VAM service and verify functionality.

🔧 Temporary Workarounds

Block Vulnerable Endpoint

all

Restrict access to the vulnerable PHP page using web server configuration or firewall rules.

# Apache: <Location "/common/vam_monitor_sap.php"> Require all denied </Location>
# Nginx: location = /common/vam_monitor_sap.php { deny all; }

Input Validation

all

Implement strict input validation and sanitization for all parameters in the vulnerable script.

# In vam_monitor_sap.php, add parameter validation before execution
# Example: if (!preg_match('/^[a-zA-Z0-9_-]+$/', $_GET['param'])) { die('Invalid input'); }

🧯 If You Can't Patch

Implement strict network segmentation to isolate VAM instances from critical systems
Deploy a web application firewall (WAF) with command injection rules and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if /common/vam_monitor_sap.php exists and is accessible without authentication. Test with controlled command injection payloads in a safe environment.

Check Version:

# Check VAM version through web interface or configuration files

Verify Fix Applied:

Verify the VAM version is 4.30 or later and test that /common/vam_monitor_sap.php properly validates input or returns appropriate errors.

📡 Detection & Monitoring

Log Indicators:

Unusual POST/GET requests to /common/vam_monitor_sap.php with shell metacharacters
System command execution from web server process
Unexpected process creation by web server user

Network Indicators:

HTTP requests containing shell commands (;, |, &, $, etc.) to the vulnerable endpoint
Outbound connections from web server to unexpected destinations

SIEM Query:

source="web_server" AND (url="/common/vam_monitor_sap.php" AND (request CONTAINS ";" OR request CONTAINS "|" OR request CONTAINS "&" OR request CONTAINS "$"))

📊 Metadata

CVE ID: CVE-2019-19994

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: February 26, 2020

Last Updated: November 21, 2024

🔗 References

https://www.seling.it/ Product
https://www.seling.it/product/vam/ Product,Vendor Advisory
https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.html Exploit,Third Party Advisory
https://www.seling.it/ Product
https://www.seling.it/product/vam/ Product,Vendor Advisory
https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-19994, you might also want to check these: