Vaelsys VaelsysV4 up to 5.1.0/5.4.0 Web interface /grid/vgrid_server.php execute_DataObjectProc xajaxargs os command injection

Summaryinfo

A vulnerability was found in Vaelsys VaelsysV4 up to 5.1.0/5.4.0. It has been classified as critical. This affects the function execute_DataObjectProc of the file /grid/vgrid_server.php of the component Web interface. Performing a manipulation of the argument xajaxargs results in os command injection. This vulnerability is reported as CVE-2025-8259. The attack is possible to be carried out remotely. Moreover, an exploit is present. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability, which was classified as critical, was found in Vaelsys VaelsysV4 up to 5.1.0/5.4.0 (Video Surveillance Software). This affects the function execute_DataObjectProc of the file /grid/vgrid_server.php of the component Web interface. The manipulation of the argument xajaxargs with an unknown input leads to a os command injection vulnerability. CWE is classifying the issue as CWE-78. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. This is going to have an impact on confidentiality, integrity, and availability.

The weakness was disclosed 03/20/2026 as VSEC_V4_2025_07_0001. It is possible to read the advisory at github.com. This vulnerability is uniquely identified as CVE-2025-8259. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details and a public exploit are known. The attack technique deployed by this issue is T1202 according to MITRE ATT&CK. The advisory points out:

A command injection vulnerability was identified in Vifence3/VaelsysV4 web interface within the execute_DataObjectProc function in /grid/vgrid_server.php. The handler processes the xajaxargs parameter without sufficient sanitization, enabling attackers to inject arbitrary operating system commands. Successful exploitation allows a remote attacker to execute arbitrary commands with the privileges of the web server process user www-data. While this user is non-privileged and direct full system compromise is unlikely without additional privilege-escalation exploits, the vulnerability can still be leveraged to potentially access or exfiltrate sensitive information and to modify the web interface or application behavior for malicious purposes. Exploitation of this vulnerability>=5.1.1, >=5.4.1 requires only network access to the Vaelsys web interface and a valid PHP session identifier. Authentication is not required, provided the session is active and correctly formatted, as can be obtained from the application login interface.

The exploit is shared for download at github.com. It is declared as proof-of-concept. By approaching the search of inurl:grid/vgrid_server.php it is possible to find vulnerable targets with Google Hacking.

Upgrading to version 5.1.1 or 5.4.1 eliminates this vulnerability. The upgrade is hosted for download at vaelsys.github.io.

Be aware that VulDB is the high quality source for vulnerability data.

Affected

• Vifence3
• VaelsysV4 VaelsysOS 8
• VaelsysV4 VaelsysOS 10 up to 5.1.0
• VaelsysV4 VaelsysOS 12 up to 5.4.0

Not Affected

• VaelsysV4 VaelsysOS 10 5.1.1
• VaelsysV4 VaelsysOS 12 5.4.1

Productinfo

Type

• Video Surveillance Software

Vendor

• Vaelsys

Name

• VaelsysV4

Version

• 5.0
• 5.1
• 5.1.0
• 5.2
• 5.3
• 5.4.0

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Submitinfo

Accepted

• Submit #616920: Vaelsys Vaelsys V4 v4.1.0 Remote Code Execution in Vaelsys V4 Platform (by waiwai24)

Be aware that VulDB is the high quality source for vulnerability data.

Discussion