CVE-2019-25024 in OpenRepeater
Summary
by MITRE • 02/19/2021
OpenRepeater (ORP) before 2.2 allows unauthenticated command injection via shell metacharacters in the functions/ajax_system.php post_service parameter.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/08/2025
OpenRepeater represents a critical vulnerability in the form of unauthenticated command injection within the functions/ajax_system.php file of versions prior to 2.2. This flaw specifically targets the post_service parameter which processes user-supplied input without proper sanitization or validation. The vulnerability stems from the application's failure to properly escape or filter shell metacharacters, allowing malicious actors to inject arbitrary commands that execute with the privileges of the web application. The attack vector is particularly dangerous because it requires no authentication, making it accessible to any remote attacker who can submit a POST request to the affected endpoint. This command injection vulnerability directly maps to CWE-77 which describes improper neutralization of special elements used in a command shell, and aligns with ATT&CK technique T1059.001 for command and scripting interpreter. The operational impact of this vulnerability extends beyond simple command execution as it provides attackers with full control over the underlying system, potentially enabling them to escalate privileges, establish persistence, or access sensitive data. The vulnerability exists in the context of a web application that manages radio communication systems, where the compromised system could serve as a critical infrastructure component for emergency services or communication networks. Attackers could leverage this weakness to gain unauthorized access to network resources, deploy malware, or disrupt communication services. The flaw demonstrates a fundamental lack of input validation and proper sanitization practices within the application's codebase, particularly in how it handles user-provided data in the post_service parameter. Organizations using OpenRepeater versions before 2.2 face significant risk as this vulnerability could be exploited to compromise entire communication infrastructures. The security implications are compounded by the fact that the affected system is likely part of critical communication networks where unauthorized access could have severe operational consequences. Mitigation strategies should include immediate upgrade to version 2.2 or later which addresses the command injection vulnerability through proper input validation and sanitization. Additionally, network segmentation and access controls should be implemented to limit exposure of the affected system. Security monitoring should be enhanced to detect unusual command execution patterns, and regular security audits should be conducted to identify similar vulnerabilities in other components of the communication infrastructure. The vulnerability underscores the importance of implementing defense-in-depth strategies and proper secure coding practices to prevent similar issues in critical infrastructure applications. Organizations should also consider implementing web application firewalls and input validation controls to protect against similar command injection attacks targeting other web applications within their network perimeter.