CVE-2019-16662
Description
An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
rConfig 3.9.2 allows unauthenticated remote command execution via the rootUname parameter in ajaxServerSettingsChk.php.
Vulnerability
In rConfig version 3.9.2, the file install/lib/ajaxHandlers/ajaxServerSettingsChk.php accepts a GET parameter rootUname and passes it directly to the PHP exec() function without any sanitization or filtering [1]. This allows an attacker to inject arbitrary operating system commands. The vulnerability is present in the installation helper script, which is accessible without authentication.
Exploitation
An attacker can exploit this by sending a crafted GET request to the vulnerable endpoint. No authentication is required. The rootUname parameter is injected with a command separator (e.g., ;) followed by the desired OS command. For example, a reverse shell payload can be used to gain interactive access [2]. The request is made to /install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=;command.
Impact
Successful exploitation results in remote code execution as the web server user (typically www-data or apache). The attacker can fully compromise the rConfig server, including reading sensitive configuration files, modifying device backups, and pivoting to other network devices managed by rConfig.
Mitigation
No official patch has been released for rConfig 3.9.2. Users should upgrade to a supported version, such as rConfig V8 Core or later, which is not affected by this vulnerability [3]. As a workaround, restrict access to the installation directory or remove the install/ directory after installation. The exploit is publicly available, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- rConfig/rConfigdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the rootUname GET parameter allows shell command injection via the exec() function."
Attack vector
An unauthenticated attacker sends a GET request to `ajaxServerSettingsChk.php` with a crafted `rootUname` parameter. The value is concatenated into a command string (e.g., `sudo -S -u ' . $rootUname . ' ...`) and passed to `exec()`. By injecting a semicolon followed by an arbitrary command and a comment character (`#`), the attacker can execute arbitrary system commands. The exploit requires the `/install` directory to be accessible (HTTP 200), which is the default on a fresh rConfig 3.9.2 installation [ref_id=1][ref_id=2].
Affected code
The vulnerable file is `/install/lib/ajaxHandlers/ajaxServerSettingsChk.php`. The script takes the `rootUname` parameter directly from a GET request and concatenates it into shell commands that are passed to the `exec()` function without any filtering or sanitization [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] states that the root cause is the lack of filtering on the `rootUname` parameter before it is passed to `exec()`. To remediate, the application must validate or sanitize the `rootUname` input — for example, by restricting it to expected username characters and avoiding direct concatenation into shell commands — and should avoid using user-supplied input in `exec()` calls altogether.
Preconditions
- networkThe /install directory must be accessible (returns HTTP 200)
- authNo authentication required; the endpoint is publicly reachable
- networkAttacker must be able to send HTTP GET requests to the target server
Reproduction
1. Ensure the target rConfig 3.9.2 instance has the `/install` directory accessible (returns HTTP 200). 2. Start a netcat listener on your attacker machine: `nc -lvnp
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- packetstormsecurity.com/files/154999/rConfig-3.9.2-Remote-Code-Execution.htmlmitrex_refsource_MISC
- packetstormsecurity.com/files/155186/rConfig-3.9.2-Command-Injection.htmlmitrex_refsource_MISC
- drive.google.com/file/d/1bTpTn4-alJ8qGCEATLq-oVM6HbhE65iY/viewmitrex_refsource_MISC
- drive.google.com/openmitrex_refsource_MISC
- gist.github.com/mhaskar/ceb65fa4ca57c3cdccc1edfe2390902emitrex_refsource_MISC
- rconfig.com/downloadmitrex_refsource_MISC
- shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.