CVE-2019-25291
Published: 08 January 2026
Summary
CVE-2019-25291 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Ibmcloud (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 28.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-25291 is a vulnerability in INIM Electronics Smartliving SmartLAN/G/SI devices running versions <=6.x, stemming from hard-coded credentials embedded in the Linux distribution image. These credentials cannot be changed through normal device operations, making them persistent and exploitable. The issue, mapped to CWE-798 (Use of Hard-coded Credentials), impacts multiple SmartLiving device models and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), primarily due to high confidentiality impact.
Remote attackers can exploit this vulnerability over the network without requiring privileges, user interaction, or high complexity. By leveraging the hard-coded credentials, they can log in directly and gain unauthorized system access to affected devices, enabling potential data extraction or further compromise.
Advisories and related resources, including exploit details, are available from IBM XForce Exchange (https://exchange.xforce.ibmcloud.com/vulnerabilities/172838), Packet Storm Security (https://packetstormsecurity.com/files/155618), Exploit-DB (https://www.exploit-db.com/exploits/47763), the vendor INIM Electronics site (https://www.inim.biz/), and Zero Science Labs (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5546.php), which may provide guidance on mitigations or patches.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1603
Vulnerability details
INIM Electronics Smartliving SmartLAN/G/SI <=6.x contains hard-coded credentials in its Linux distribution image that cannot be changed through normal device operations. Attackers can exploit these persistent credentials to log in and gain unauthorized system access across multiple SmartLiving device models.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hard-coded credentials directly enable use of valid/default accounts for remote authentication and initial access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 directly mitigates hard-coded credentials by requiring change of default authenticators prior to first use, sufficient strength of mechanism, and secure management to prevent unauthorized access.
SI-2 requires timely identification, reporting, and correction of flaws like hard-coded credentials through software/firmware updates and patching.
AC-2 enables management of accounts associated with hard-coded credentials, including creation, modification, disabling, and removal where feasible to limit unauthorized access.