Cyber Resilience

CVE-2019-25249

HighPublic PoC

Published: 24 December 2025

Published
24 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0037 29.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25249 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Zeroscience (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2019-25249 is an authentication bypass vulnerability affecting the devolo dLAN 500 AV Wireless+ firmware version 3.1.0-1. The flaw exists in the htmlmgr CGI script, which allows attackers to manipulate system configuration parameters without authentication. This enables the activation of hidden services, including telnet and remote shell access, device reboots, and escalation to root privileges. The vulnerability is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-266 (Incorrect Privilege Assignment for Critical Resource).

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. By sending crafted requests to the htmlmgr CGI endpoint, adversaries can enable insecure services like telnet and remote shells, leading to full root access without a password. This grants complete control over the device, including configuration changes, data extraction, and potential pivoting to other network assets.

Advisories and related resources include the vendor site at https://www.devolo.com, an exploit at https://www.exploit-db.com/exploits/46325, and a vulnerability report from Zero Science Labs at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5508.php. These references document the issue but do not specify patch availability or mitigation steps in the provided details.

EU & UK References

Vulnerability details

devolo dLAN 500 AV Wireless+ 3.1.0-1 contains an authentication bypass vulnerability that allows attackers to enable hidden services through the htmlmgr CGI script. Attackers can enable telnet and remote shell services, reboot the device, and gain root access without a…

more

password by manipulating system configuration parameters.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1543.003 Windows Service Persistence
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.
T1021 Remote Services Lateral Movement
Adversaries may use [Valid Accounts](https://attack.
T1529 System Shutdown/Reboot Impact
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
Why these techniques?

Auth bypass in public-facing CGI script enables T1190 exploitation; grants root access (T1068); allows modifying/enabling hidden remote services like telnet/shell (T1031, T1021); supports device reboot (T1529).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-56000Shared CWE-266
CVE-2026-23800Shared CWE-266
CVE-2026-27051Shared CWE-266
CVE-2026-24971Shared CWE-266
CVE-2026-32916Shared CWE-266
CVE-2026-23550Shared CWE-266
CVE-2025-68027Shared CWE-266
CVE-2024-12470Shared CWE-266
CVE-2026-24968Shared CWE-266
CVE-2025-68869Shared CWE-266

Affected Assets

Zeroscience
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly preventing the htmlmgr CGI script's authentication bypass that allows unauthorized configuration manipulation and root access.

prevent

Limits permitted actions without identification or authentication, prohibiting sensitive operations like enabling telnet, remote shells, or reboots via the vulnerable CGI endpoint.

prevent

Identifies, reports, and remediates the specific authentication bypass flaw in the devolo firmware, eliminating the vulnerability at its source.

References