Cyber Resilience

CVE-2019-25235

HighPublic PoC

Published: 24 December 2025

Published
24 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0043 34.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25235 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Zeroscience (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2019-25235 is an authentication bypass vulnerability (CWE-639) in Smartwares HOME easy version 1.0.9. The flaw enables unauthenticated attackers to access administrative web pages by disabling JavaScript, thereby bypassing client-side validation. This critical issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting high confidentiality, integrity, and availability impacts.

Unauthenticated remote attackers can exploit the vulnerability over the network with low complexity and no privileges or user interaction required, per the CVSS vector. By disabling JavaScript, attackers can directly navigate to multiple administrative endpoints and retrieve sensitive system information.

Advisories and further details are available from Zero Science Lab (ZSL-2019-5540 at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5540.php) and the vendor site (https://www.smartwares.eu). A proof-of-concept exploit is published on Exploit-DB (https://www.exploit-db.com/exploits/47595).

EU & UK References

Vulnerability details

Smartwares HOME easy 1.0.9 contains an authentication bypass vulnerability that allows unauthenticated attackers to access administrative web pages by disabling JavaScript. Attackers can navigate to multiple administrative endpoints and to bypass client-side validation and access sensitive system information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an authentication bypass in a public-facing web application, enabling unauthenticated remote attackers to access administrative endpoints, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-68051Shared CWE-639
CVE-2026-43890Shared CWE-639
CVE-2026-42736Shared CWE-639
CVE-2023-53955Shared CWE-639
CVE-2026-28469Shared CWE-639
CVE-2024-13558Shared CWE-639
CVE-2025-13457Shared CWE-639
CVE-2026-3124Shared CWE-639
CVE-2025-68044Shared CWE-639
CVE-2025-36365Shared CWE-639

Affected Assets

Zeroscience
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces server-side approved authorizations for access to administrative web pages, preventing bypass of client-side JavaScript validation.

prevent

Explicitly identifies and restricts actions performable without identification or authentication, prohibiting unauthorized access to sensitive admin endpoints.

prevent

Requires identification and authentication for non-organizational users or attackers accessing administrative functions over the network.

References