CVE-2019-25241
Published: 24 December 2025
Summary
CVE-2019-25241 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Iwt Facesentry Access Control System Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 34.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates changing default authenticators and protecting them from unauthorized disclosure, preventing exploitation of hard-coded SSH credentials for the wwwuser account.
Enforces least privilege to restrict the wwwuser account from executing sudo commands without authentication, blocking privilege escalation to root.
Requires secure configuration settings for system components like sudoers files, mitigating the insecure configuration that allows unauthenticated privilege escalation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hard-coded SSH credentials enable use of default/valid accounts (T1078.001) via external remote services like SSH (T1133, T1021.004); insecure sudoers allows privilege escalation (T1548.003).
NVD Description
FaceSentry Access Control System 6.4.8 contains a critical authentication vulnerability with hard-coded SSH credentials for the wwwuser account. Attackers can leverage the insecure sudoers configuration to escalate privileges and gain root access by executing sudo commands without authentication.
Deeper analysisAI
CVE-2019-25241 is a critical authentication vulnerability in FaceSentry Access Control System version 6.4.8, stemming from hard-coded SSH credentials for the wwwuser account. This issue is exacerbated by an insecure sudoers configuration that permits privilege escalation to root access through sudo commands executed without authentication. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-798 (Use of Hard-coded Credentials). It was published on 2025-12-24.
The attack scenario enables remote attackers requiring no privileges, user interaction, or special access to exploit the flaw over the network with low complexity. An attacker can authenticate via SSH using the hard-coded wwwuser credentials, then execute sudo commands unrestricted by authentication to escalate to root privileges, resulting in high-impact compromise of confidentiality, integrity, and availability on the affected system.
Advisories and resources detailing the vulnerability include the vendor site at http://www.iwt.com.hk, an exploit at https://www.exploit-db.com/exploits/47067, and Zero Science's analysis at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5526.php. These references provide further technical details on the issue, though specific patch or mitigation instructions are not detailed in the CVE description.
Details
- CWE(s)