CVE-2019-25279
Published: 08 January 2026
Summary
CVE-2019-25279 is a medium-severity Cleartext Storage of Sensitive Information (CWE-312) vulnerability in Iwt Facesentry Access Control System Firmware. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-28 (Protection of Information at Rest).
Deeper analysis
CVE-2019-25279 is a cleartext password storage vulnerability (CWE-312) affecting the FaceSentry Access Control System version 6.4.8. The issue resides in the device's SQLite database at /faceGuard/database/FaceSentryWeb.sqlite, where sensitive login credentials are stored without encryption, allowing direct access to unencrypted information.
Attackers can exploit this vulnerability remotely over the network with low complexity, no privileges, and no user interaction required, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Successful exploitation enables reading of plaintext credentials from the database without additional authentication, potentially granting unauthorized access to the system or related resources.
Advisories referenced in IBM X-Force Exchange (https://exchange.xforce.ibmcloud.com/vulnerabilities/163190), Packet Storm Security (https://packetstormsecurity.com/files/153501), and Zero Science Lab (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5529.php) document the vulnerability details but do not specify patches or mitigations in the provided information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1614
Vulnerability details
FaceSentry Access Control System 6.4.8 contains a cleartext password storage vulnerability that allows attackers to access unencrypted credentials in the device's SQLite database. Attackers can directly read sensitive login information stored in /faceGuard/database/FaceSentryWeb.sqlite without additional authentication.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct cleartext credential storage in a local SQLite database file enables reading of unsecured credentials from files.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates confidentiality protections for sensitive information at rest, directly preventing unauthorized disclosure of cleartext credentials stored in the SQLite database.
Requires protection of authenticator content from unauthorized disclosure, addressing the insecure storage of plaintext login credentials.
Enforces approved authorizations for logical access to the database file, mitigating direct reading of unencrypted credentials without authentication.