Command injection enables VA MAX remote code execution

TL;DR — An authenticated request to changeip.php can be abused to inject shell metacharacters and execute arbitrary commands in VA MAX <= 8.3.4.

What happened

VA MAX is a product that exposes a PHP endpoint (changeip.php) which appears to be used for configuration changes. VulnCheck published an advisory for CVE-2019-25671 describing an authenticated remote code execution issue caused by injecting shell metacharacters into the mtu_eth0 parameter.

Per the advisory, an attacker can send a crafted POST request to changeip.php to execute commands as the apache user. VulnCheck links to a public Exploit-DB entry (ExploitDB-46348), which increases the risk of opportunistic scanning once defenders’ vulnerability feeds ingest the record.

Who is impacted

• Deployments running VA MAX <= 8.3.4.
• Environments where an attacker can obtain any credentials sufficient to reach the vulnerable functionality (CVSS indicates PR:L).

What to do now

• Follow vendor remediation guidance for VA MAX (the VulnCheck advisory does not list a fixed version).
• Inventory where VA MAX is deployed and confirm whether any instances are <= 8.3.4.
• Reduce exposure while you validate patch status:
  • Restrict access to the VA MAX management surface (network ACLs, VPN-only admin access, or an authenticated gateway).
  • Review and minimize which users/roles can invoke configuration-changing endpoints like changeip.php.
• Add detection and response coverage appropriate for an RCE-class issue:
  • Monitor for anomalous POST traffic to changeip.php, especially requests manipulating mtu_eth0.
  • If compromise is suspected, preserve web/app logs and rotate credentials and secrets reachable by the VA MAX service account context (notably anything accessible to the apache runtime).