Which versions of EM Plus are affected by CVE-2019-25468?

NetGain EM Plus systems (version 10.1.68) are vulnerable to unauthenticated remote code execution, allowing attackers to take complete control of affected devices without any authentication.

Is there a public PoC exploit available for CVE-2019-25468?

Yes, a public proof-of-concept exploit is available for CVE-2019-25468. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2019-25468?

Within 24 hours: Identify all NetGain EM Plus 10.1.68 instances in your environment and isolate them from untrusted networks; implement emergency WAF rules to block access to script_test.jsp endpoint. Within 7 days: Conduct a forensic review of access logs to detect potential exploitation; escalate vendor communication to demand patch timeline or end-of-life guidance. Within 30 days: Evaluate alternative products or plan migration away from NetGain EM Plus; if retention is mandatory, implement strict network segmentation and continuous monitoring.

EM Plus CVE-2019-25468

Q: What is the CVSS score of CVE-2019-25468?

CVE-2019-25468 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

CRITICAL

Code Injection (CWE-94)

2026-03-11 disclosure@vulncheck.com

RCE Code Injection

9.3

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

9.3 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 15, 2026 - 15:22 NVD

9.8 (CRITICAL) 9.3 (CRITICAL)

Analysis Generated

Mar 12, 2026 - 22:07 vuln.today

PoC Detected

Mar 12, 2026 - 21:08 vuln.today

Public exploit code

CVE Published

Mar 11, 2026 - 19:16 nvd

CRITICAL 9.8

DescriptionCVE.org

NetGain EM Plus 10.1.68 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious parameters to the script_test.jsp endpoint. Attackers can send POST requests with shell commands embedded in the 'content' parameter to execute code and retrieve command output.

AnalysisAI

RCE in NetGain EM Plus 10.1.68. PoC available.

Technical ContextAI

CWE-94.

Affected ProductsAI

NetGain EM Plus 10.1.68

RemediationAI

Update.

CVE-2019-25468 vulnerability details – vuln.today

Back