Cyber Resilience

CVE-2019-25236

HighPublic PoC

Published: 24 December 2025

Published
24 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 32.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25236 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Zeroscience (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-22 (Publicly Accessible Content).

Deeper analysis

CVE-2019-25236 is an unauthenticated vulnerability in the get_jpeg script of the iSeeQ Hybrid DVR WH-H4 version 1.03R. It enables unauthorized access to live video streams, allowing attackers to retrieve video snapshots from specific camera channels by sending requests to the /cgi-bin/get_jpeg endpoint without any authentication. The issue is classified under CWE-306 (Missing Authentication for Critical Function) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to high impacts on confidentiality, integrity, and availability.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low attack complexity. By crafting and sending HTTP requests to the exposed endpoint, they can directly access sensitive live video feeds from targeted camera channels, potentially enabling surveillance monitoring, privacy violations, or further reconnaissance for additional attacks on the DVR system.

References include the vendor site at http://www.iseeq.co.kr, an Exploit-DB entry (https://www.exploit-db.com/exploits/47562) providing a proof-of-concept, and a Zero Science Labs advisory (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5539.php). These detail the vulnerability but do not specify patches or mitigations in the available information.

EU & UK References

Vulnerability details

iSeeQ Hybrid DVR WH-H4 1.03R contains an unauthenticated vulnerability in the get_jpeg script that allows unauthorized access to live video streams. Attackers can retrieve video snapshots from specific camera channels by sending requests to the /cgi-bin/get_jpeg endpoint without authentication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1125 Video Capture Collection
An adversary can leverage a computer's peripheral devices (e.
Why these techniques?

Unauthenticated access to live video snapshots via public-facing CGI endpoint enables T1190 (Exploit Public-Facing Application) and facilitates T1125 (Video Capture) by providing direct unauthorized retrieval of camera surveillance footage.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66049Shared CWE-306
CVE-2017-20213Shared CWE-306
CVE-2024-23943Shared CWE-306
CVE-2022-50978Shared CWE-306
CVE-2025-40771Shared CWE-306
CVE-2024-13185Shared CWE-306
CVE-2026-24790Shared CWE-306
CVE-2026-34275Shared CWE-306
CVE-2026-2844Shared CWE-306
CVE-2026-1729Shared CWE-306

Affected Assets

Zeroscience
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 explicitly identifies and limits user actions performable without identification or authentication, directly addressing the unauthenticated access to the get_jpeg endpoint exposing live video streams.

prevent

AC-3 enforces approved authorizations for access to system resources, mitigating the lack of enforcement on the critical get_jpeg script.

prevent

AC-22 controls access to and protects publicly accessible content, preventing unauthorized retrieval of sensitive video snapshots via the exposed endpoint.

References