OS command Injection flaw reported in MegaSys Enterprises Telenium Online web application
Take action: If you use MegaSys Telenium Online Web Application, make sure that it's isolated from the internet and accessible only via trusted networks. Then visit the MegaSys support page to get and plan a quick update to the flaw. The exploit is fairly easy to inject if the attacker can reach the server.
Learn More
MegaSys Enterprises has patched a critical security vulnerability in its Telenium Online Web Application, a network management platform that enables unauthenticated attackers to execute arbitrary operating system commands remotely, potentially leading to complete compromise of affected systems.
The flaw is tracked as CVE-2025-10659 (CVSS score 9.3), and is caused by a PHP endpoint that is accessible to unauthenticated network users and improperly handles user-supplied input. It stems from the insecure termination of a regular expression check within the endpoint. Because the input is not correctly validated or sanitized, an unauthenticated attacker can inject arbitrary operating system commands through a crafted HTTP request.
Affected versions are Telenium Online Web Application 8.4.21 and all prior versions
MegaSys Enterprises has provided a fix for this vulnerability and users should access the MegaSys support page to obtain detailed instructions on applying the security patch. Organizations that cannot immediately apply the patch should implement compensating network isolation controls to minimize their exposure.
