CVE-2019-25282
Published: 08 January 2026
Summary
CVE-2019-25282 is a medium-severity Open Redirect (CWE-601) vulnerability in Cxsecurity (inferred from references). Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2019-25282 is an open redirect vulnerability in the V-SOL GPON/EPON OLT Platform version 2.03. The issue stems from improper input validation in a script that processes the 'parent' GET parameter, enabling attackers to manipulate the redirect mechanism and send users to arbitrary external websites.
Any remote attacker can exploit this vulnerability without authentication by crafting malicious links that leverage the flawed parameter. These links target logged-in users, redirecting them to attacker-controlled sites, as indicated by the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and association with CWE-601 (URL Redirection to Untrusted Site). Published on 2026-01-08, the vulnerability allows high-impact compromise of confidentiality, integrity, and availability.
Advisories and reports on mitigation are available from multiple sources, including CXSecurity (https://cxsecurity.com/issue/WLB-2019090193), IBM X-Force Exchange (https://exchange.xforce.ibmcloud.com/vulnerabilities/167772), Packet Storm Security (https://packetstormsecurity.com/files/154628), the vendor V-SOL site (https://www.vsolcn.com/), and Zero Science Labs (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5535.php).
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1600
Vulnerability details
V-SOL GPON/EPON OLT Platform v2.03 contains an open redirect vulnerability in the script that allows attackers to manipulate the 'parent' GET parameter. Attackers can craft malicious links that redirect logged-in users to arbitrary websites by exploiting improper input validation in…
more
the redirect mechanism.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Open redirect in public-facing web platform directly enables exploitation via crafted links (T1190) and supports spearphishing link delivery to redirect users (T1566.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates validation of the 'parent' GET parameter input to block manipulation leading to open redirects to arbitrary sites.
Requires filtering or validation of output such as redirect URLs prior to transmission, preventing delivery of malicious redirects to users.
Ensures timely identification, reporting, and remediation of the input validation flaw causing this open redirect vulnerability.