cbcvebase.
CVE-2019-9189
published 2019-06-05

CVE-2019-9189: Prima Systems FlexAir, Versions 2.4.9api3 and prior. The application allows the upload of arbitrary Python scripts when configuring the main central…

PriorityP271high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
11.63%
95.5th percentile
Prima Systems FlexAir, Versions 2.4.9api3 and prior. The application allows the upload of arbitrary Python scripts when configuring the main central controller. These scripts can be immediately executed because of root code execution, not as a web server user, allowing an authenticated attacker to gain full system access.

Affected

1 ranges
VendorProductVersion rangeFixed in
primasystemsflexair<= 2.3.38

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for HTTP POST requests to /bin/sysfcgi.fx, which is the vulnerable endpoint used to inject commands and upload arbitrary files on Prima/FlexAir devices.
  • Alert on HTTP GET requests retrieving files from /app/images/logos/ — attackers write command output or uploaded payloads to this web-accessible directory for exfiltration.
  • Detect execution context of web-initiated processes running as root (uid=0); the exploit confirms code runs as root, not as the web server user.
  • Flag uploads of Python scripts via the web interface to the central controller configuration, as the application executes them immediately with root privileges.
  • ·Exploitation requires authentication; the attacker must have valid credentials before abusing the file upload/command injection functionality.
  • ·The vulnerability affects Prima Systems FlexAir versions 2.4.9api3 and prior, as well as Prima Access Control 2.3.35; scope detection rules to these product versions.
  • ·The device runs on an ARM (armv7l) Linux platform; host-based detection rules should account for this architecture.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.