CVE-2019-25279
Published: 08 January 2026
Summary
CVE-2019-25279 is a high-severity Cleartext Storage of Sensitive Information (CWE-312) vulnerability in Iwt Facesentry Access Control System Firmware. Its CVSS base score is 7.5 (High).
Operationally, ranked at the 20.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Training on secure data handling discourages cleartext storage of sensitive information.
Data action mapping can detect storage actions that leave sensitive information in cleartext.
Configuration policies can mandate secure storage methods to avoid cleartext storage of sensitive information.
Policy requires protection measures such as encryption for sensitive data stored on media, preventing cleartext exposure.
Key-management policy requires protected storage of key material, preventing cleartext storage of sensitive cryptographic keys.
Requiring confidentiality protection for information at rest eliminates cleartext storage of sensitive data on persistent media.
Reduces cleartext storage of sensitive data when OPSEC identifies and mandates protection of key information artifacts.
NVD Description
FaceSentry Access Control System 6.4.8 contains a cleartext password storage vulnerability that allows attackers to access unencrypted credentials in the device's SQLite database. Attackers can directly read sensitive login information stored in /faceGuard/database/FaceSentryWeb.sqlite without additional authentication.
Deeper analysisAI
CVE-2019-25279 is a cleartext password storage vulnerability (CWE-312) affecting the FaceSentry Access Control System version 6.4.8. The issue resides in the device's SQLite database at /faceGuard/database/FaceSentryWeb.sqlite, where sensitive login credentials are stored without encryption, allowing direct access to unencrypted information.
Attackers can exploit this vulnerability remotely over the network with low complexity, no privileges, and no user interaction required, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Successful exploitation enables reading of plaintext credentials from the database without additional authentication, potentially granting unauthorized access to the system or related resources.
Advisories referenced in IBM X-Force Exchange (https://exchange.xforce.ibmcloud.com/vulnerabilities/163190), Packet Storm Security (https://packetstormsecurity.com/files/153501), and Zero Science Lab (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5529.php) document the vulnerability details but do not specify patches or mitigations in the provided information.
Details
- CWE(s)