Introduction
Remote attackers can achieve unauthenticated code execution on critical network management infrastructure due to a command injection flaw in MegaSys Telenium Online Web Application. Organizations in telecommunications, energy, and government sectors using Telenium face immediate risk of compromise if this vulnerability is left unaddressed.
About MegaSys and Telenium: MegaSys Computer Technologies is a Canadian vendor with over 35 years in the network management space, providing solutions for more than 100 energy providers, telecom networks, and government agencies. Their Telenium platform is a comprehensive network management suite supporting hundreds of device types and is also rebranded by General Electric as Advanced NMS. Telenium is widely deployed in critical infrastructure environments.
Technical Information
CVE-2025-10659 is a critical vulnerability in the Telenium Online Web Application, classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The flaw is present in a PHP endpoint that is accessible to unauthenticated network users. The endpoint attempts to validate user input using a regular expression, but the check is insecurely terminated. As a result, attackers can supply input that bypasses the intended validation.
When the vulnerable endpoint receives a crafted HTTP request, user-supplied input is incorporated into an OS command without proper sanitization. Attackers can inject shell metacharacters or command separators (such as ;
, &
, or |
) to execute arbitrary commands on the server. The commands execute with the privileges of the web application service account, which may have significant access depending on deployment configuration.
No public code snippets or proof of concept details are available. The vulnerability is notable for requiring no authentication, making exploitation possible from any network location with access to the web interface.
Affected Systems and Versions
- Product: MegaSys Telenium Online Web Application
- Affected: All versions with the vulnerable PHP endpoint accessible to unauthenticated users
- No specific version numbers or ranges are published in public advisories as of the date of this post
- Vulnerability is present when the web interface is exposed to untrusted networks
Vendor Security History
MegaSys has previously addressed similar vulnerabilities in Telenium, such as CVE-2025-8769 (improper input validation in a Perl script). The company typically issues advisories and patches in coordination with CISA. However, the recurrence of input validation flaws indicates ongoing challenges in secure development and testing practices. MegaSys provides a dedicated support portal and 24/7 technical support for customers.