CVE-2019-25249
Published: 24 December 2025
Summary
CVE-2019-25249 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Zeroscience (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2019-25249 is an authentication bypass vulnerability affecting the devolo dLAN 500 AV Wireless+ firmware version 3.1.0-1. The flaw exists in the htmlmgr CGI script, which allows attackers to manipulate system configuration parameters without authentication. This enables the activation of hidden services, including telnet and remote shell access, device reboots, and escalation to root privileges. The vulnerability is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-266 (Incorrect Privilege Assignment for Critical Resource).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. By sending crafted requests to the htmlmgr CGI endpoint, adversaries can enable insecure services like telnet and remote shells, leading to full root access without a password. This grants complete control over the device, including configuration changes, data extraction, and potential pivoting to other network assets.
Advisories and related resources include the vendor site at https://www.devolo.com, an exploit at https://www.exploit-db.com/exploits/46325, and a vulnerability report from Zero Science Labs at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5508.php. These references document the issue but do not specify patch availability or mitigation steps in the provided details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-205315
Vulnerability details
devolo dLAN 500 AV Wireless+ 3.1.0-1 contains an authentication bypass vulnerability that allows attackers to enable hidden services through the htmlmgr CGI script. Attackers can enable telnet and remote shell services, reboot the device, and gain root access without a…
more
password by manipulating system configuration parameters.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass in public-facing CGI script enables T1190 exploitation; grants root access (T1068); allows modifying/enabling hidden remote services like telnet/shell (T1031, T1021); supports device reboot (T1529).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to system resources, directly preventing the htmlmgr CGI script's authentication bypass that allows unauthorized configuration manipulation and root access.
Limits permitted actions without identification or authentication, prohibiting sensitive operations like enabling telnet, remote shells, or reboots via the vulnerable CGI endpoint.
Identifies, reports, and remediates the specific authentication bypass flaw in the devolo firmware, eliminating the vulnerability at its source.