CVE-2019-16662 Unknown Vendor CVE debrief

Who should care

Administrators and security teams responsible for rConfig 3.9.2 deployments, especially systems reachable over the network or used to manage infrastructure.

Technical summary

The provided CVE description states that ajaxServerSettingsChk.php passes the rootUname parameter to exec without filtering. Because the request is sent over GET, the vulnerable path is network-reachable if the endpoint is accessible. The EPSS signal provided with this record is very high (0.94461, 99.994th percentile), which increases operational concern, though it is only a probability signal and not proof of exploitation.

Defensive priority

High. The issue is described as direct system command execution, and the supplied EPSS signal indicates a strong likelihood of exploitation interest. Treat exposed instances as urgent to assess.

Recommended defensive actions

• Identify whether rConfig 3.9.2 is deployed anywhere in your environment.
• Restrict or block access to the affected endpoint if exposure cannot be eliminated immediately.
• Apply the vendor's fixed version or other official remediation if available from authoritative sources.
• Review web and system logs for requests to ajaxServerSettingsChk.php and other signs of unexpected command execution.
• If the system was exposed, validate host integrity and investigate for unauthorized changes or persistence.

Evidence notes

This debrief is based on the supplied CVE description, which explicitly names rConfig 3.9.2, ajaxServerSettingsChk.php, the rootUname parameter, and unchecked use of exec. Risk context is further supported by the supplied EPSS record from FIRST showing a score of 0.94461 and percentile 0.99994. Official CVE and NVD links are included as reference points; no additional facts were inferred beyond the provided corpus.

Official resources