Cyber Resilience

CVE-2019-25282

MediumPublic PoC

Published: 08 January 2026

Published
08 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0037 29.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2019-25282 is a medium-severity Open Redirect (CWE-601) vulnerability in Cxsecurity (inferred from references). Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2019-25282 is an open redirect vulnerability in the V-SOL GPON/EPON OLT Platform version 2.03. The issue stems from improper input validation in a script that processes the 'parent' GET parameter, enabling attackers to manipulate the redirect mechanism and send users to arbitrary external websites.

Any remote attacker can exploit this vulnerability without authentication by crafting malicious links that leverage the flawed parameter. These links target logged-in users, redirecting them to attacker-controlled sites, as indicated by the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and association with CWE-601 (URL Redirection to Untrusted Site). Published on 2026-01-08, the vulnerability allows high-impact compromise of confidentiality, integrity, and availability.

Advisories and reports on mitigation are available from multiple sources, including CXSecurity (https://cxsecurity.com/issue/WLB-2019090193), IBM X-Force Exchange (https://exchange.xforce.ibmcloud.com/vulnerabilities/167772), Packet Storm Security (https://packetstormsecurity.com/files/154628), the vendor V-SOL site (https://www.vsolcn.com/), and Zero Science Labs (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5535.php).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

V-SOL GPON/EPON OLT Platform v2.03 contains an open redirect vulnerability in the script that allows attackers to manipulate the 'parent' GET parameter. Attackers can craft malicious links that redirect logged-in users to arbitrary websites by exploiting improper input validation in…

more

the redirect mechanism.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

Open redirect in public-facing web platform directly enables exploitation via crafted links (T1190) and supports spearphishing link delivery to redirect users (T1566.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7504Shared CWE-601
CVE-2026-29067Shared CWE-601
CVE-2025-23363Shared CWE-601
CVE-2026-6795Shared CWE-601
CVE-2026-28512Shared CWE-601
CVE-2026-23818Shared CWE-601
CVE-2026-0508Shared CWE-601
CVE-2025-24868Shared CWE-601
CVE-2026-40905Shared CWE-601
CVE-2025-24381Shared CWE-601

Affected Assets

Cxsecurity
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation of the 'parent' GET parameter input to block manipulation leading to open redirects to arbitrary sites.

prevent

Requires filtering or validation of output such as redirect URLs prior to transmission, preventing delivery of malicious redirects to users.

preventrecover

Ensures timely identification, reporting, and remediation of the input validation flaw causing this open redirect vulnerability.

References