CVE-2025-59741
📋 TL;DR
This is a critical command injection vulnerability in AndSoft's e-TMS v25.03 that allows unauthenticated attackers to execute arbitrary operating system commands on the server by sending a specially crafted POST request to the '/CLT/LOGINERRORFRM.ASP' endpoint. All organizations running the vulnerable version are affected and could have their servers completely compromised.
💻 Affected Systems
- AndSoft e-TMS
📦 What is this software?
E Tms by Andsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover leading to data theft, ransomware deployment, lateral movement to other systems, and persistent backdoor installation.
Likely Case
Initial foothold leading to credential harvesting, data exfiltration, and deployment of cryptocurrency miners or botnet malware.
If Mitigated
Limited impact if proper network segmentation, WAF rules, and least privilege principles are implemented, though the vulnerability still exists.
🎯 Exploit Status
The vulnerability requires no authentication and exploitation is straightforward via HTTP POST requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms
Restart Required: No
Instructions:
No official patch is available. Monitor the vendor advisory for updates and consider workarounds or alternative solutions.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rule
allBlock or sanitize requests containing command injection patterns targeting the vulnerable endpoint
WAF-specific configuration required
Network Access Control
linuxRestrict access to the vulnerable endpoint using network segmentation or firewall rules
iptables -A INPUT -p tcp --dport 80 -m string --string "/CLT/LOGINERRORFRM.ASP" --algo bm -j DROP
🧯 If You Can't Patch
- Isolate the e-TMS server in a separate network segment with strict firewall rules
- Implement application-level input validation and sanitization for all user inputs
🔍 How to Verify
Check if Vulnerable:
Check if the application version is v25.03 and test for command injection via POST requests to /CLT/LOGINERRORFRM.ASP with the 'm' parameterCheck Version:
Check application documentation or interface for version informationVerify Fix Applied:
Verify that command injection attempts no longer succeed and that the application has been updated or protected📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /CLT/LOGINERRORFRM.ASP
- Commands like cmd.exe, powershell, or bash in web logs
- Multiple failed login attempts followed by command execution
Network Indicators:
- POST requests to /CLT/LOGINERRORFRM.ASP with shell metacharacters in parameters
- Outbound connections from web server to unusual destinations
SIEM Query:
source="web_logs" AND uri="/CLT/LOGINERRORFRM.ASP" AND (method="POST" AND (param="m" AND value CONTAINS "|" OR value CONTAINS ";" OR value CONTAINS "&" OR value CONTAINS "`"))