Cyber Resilience

CVE-2019-25291

CriticalPublic PoC

Published: 08 January 2026

Published
08 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0037 28.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2019-25291 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Ibmcloud (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 28.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-25291 is a vulnerability in INIM Electronics Smartliving SmartLAN/G/SI devices running versions <=6.x, stemming from hard-coded credentials embedded in the Linux distribution image. These credentials cannot be changed through normal device operations, making them persistent and exploitable. The issue, mapped to CWE-798 (Use of Hard-coded Credentials), impacts multiple SmartLiving device models and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), primarily due to high confidentiality impact.

Remote attackers can exploit this vulnerability over the network without requiring privileges, user interaction, or high complexity. By leveraging the hard-coded credentials, they can log in directly and gain unauthorized system access to affected devices, enabling potential data extraction or further compromise.

Advisories and related resources, including exploit details, are available from IBM XForce Exchange (https://exchange.xforce.ibmcloud.com/vulnerabilities/172838), Packet Storm Security (https://packetstormsecurity.com/files/155618), Exploit-DB (https://www.exploit-db.com/exploits/47763), the vendor INIM Electronics site (https://www.inim.biz/), and Zero Science Labs (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5546.php), which may provide guidance on mitigations or patches.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

INIM Electronics Smartliving SmartLAN/G/SI <=6.x contains hard-coded credentials in its Linux distribution image that cannot be changed through normal device operations. Attackers can exploit these persistent credentials to log in and gain unauthorized system access across multiple SmartLiving device models.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Hard-coded credentials directly enable use of valid/default accounts for remote authentication and initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7414Shared CWE-798
CVE-2024-48126Shared CWE-798
CVE-2026-26218Shared CWE-798
CVE-2026-22900Shared CWE-798
CVE-2024-51547Shared CWE-798
CVE-2024-46433Shared CWE-798
CVE-2019-25322Shared CWE-798
CVE-2026-28255Shared CWE-798
CVE-2026-27785Shared CWE-798
CVE-2020-37135Shared CWE-798

Affected Assets

Ibmcloud
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 directly mitigates hard-coded credentials by requiring change of default authenticators prior to first use, sufficient strength of mechanism, and secure management to prevent unauthorized access.

prevent

SI-2 requires timely identification, reporting, and correction of flaws like hard-coded credentials through software/firmware updates and patching.

prevent

AC-2 enables management of accounts associated with hard-coded credentials, including creation, modification, disabling, and removal where feasible to limit unauthorized access.

References