Cyber Resilience

CVE-2019-25237

HighPublic PoC

Published: 24 December 2025

Published
24 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0031 22.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25237 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Zeroscience (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2019-25237 is a privilege escalation vulnerability in the V-SOL GPON/EPON OLT Platform version 2.03. It allows normal users to gain administrative access by sending a crafted HTTP POST request to the user management endpoint, specifically by setting the 'user_role_mod' parameter to the integer value '1'. The issue stems from improper handling of the user role parameter, classified under CWE-863 (Incorrect Authorization), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by normal users over the network without requiring special privileges, user interaction, or authentication beyond basic access, due to the PR:N metric. Successful exploitation grants attackers administrative privileges on the affected OLT platform, enabling full control over confidentiality, integrity, and availability of the system, such as modifying configurations, accessing sensitive data, or disrupting network operations in GPON/EPON environments.

Advisories and references include an exploit published on Exploit-DB (https://www.exploit-db.com/exploits/47435), the vendor site (https://www.vsolcn.com), and detailed analysis from Zero Science Labs (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5538.php), confirming the attack vector but providing no specific patch or mitigation details in the available information.

EU & UK References

Vulnerability details

V-SOL GPON/EPON OLT Platform v2.03 contains a privilege escalation vulnerability that allows normal users to gain administrative access by manipulating the user role parameter. Attackers can send a crafted HTTP POST request to the user management endpoint with 'user_role_mod' set…

more

to integer value '1' to elevate their privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE-2019-25237 is an unauthenticated privilege escalation in a public-facing web application (user management endpoint on GPON/EPON OLT), directly enabling T1190 (Exploit Public-Facing Application) and T1068 (Exploitation for Privilege Escalation) via crafted HTTP POST request manipulating user role.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25741Shared CWE-863
CVE-2026-32005Shared CWE-863
CVE-2025-21556Shared CWE-863
CVE-2025-24434Shared CWE-863
CVE-2026-44633Shared CWE-863
CVE-2026-22595Shared CWE-863
CVE-2026-44110Shared CWE-863
CVE-2026-30239Shared CWE-863
CVE-2025-24407Shared CWE-863
CVE-2026-32101Shared CWE-863

Affected Assets

Zeroscience
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for access to resources, directly preventing unauthorized privilege escalation through manipulated user role parameters in the user management endpoint.

prevent

SI-10 requires validation of information inputs at external interfaces, blocking crafted HTTP POST requests that set the 'user_role_mod' parameter to elevate privileges.

prevent

AC-6 mandates least privilege for users and processes, ensuring normal users cannot gain administrative access even if authorization checks fail.

References