CVE-2019-25298
Published: 06 February 2026
Summary
CVE-2019-25298 is a high-severity SQL Injection (CWE-89) vulnerability in Lolypop55 Html5 Snmp. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-25298 affects html5_snmp version 1.11 and consists of multiple SQL injection vulnerabilities in the Router_ID and Router_IP parameters. These flaws allow attackers to manipulate database queries using error-based, time-based, and union-based injection techniques. By sending crafted payloads, attackers can potentially extract or modify database information. The vulnerability is rated with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-89.
Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges or user interaction. Unauthenticated adversaries can target the affected parameters in requests to inject malicious SQL, enabling them to alter database queries and achieve high impacts on integrity and availability, such as modifying or disrupting data.
Advisories and related resources include the Vulncheck advisory on the htmlsnmp Router_ID SQL injection at https://www.vulncheck.com/advisories/htmlsnmp-routerid-sql-injection, a public exploit on Exploit-DB at https://www.exploit-db.com/exploits/47588, and the project repository at https://github.com/lolypop55/html5_snmp. Practitioners should consult these for mitigation guidance and patching details.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19401
Vulnerability details
html5_snmp 1.11 contains multiple SQL injection vulnerabilities that allow attackers to manipulate database queries through Router_ID and Router_IP parameters. Attackers can exploit error-based, time-based, and union-based injection techniques to potentially extract or modify database information by sending crafted payloads.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote SQL injection in a public-facing web app (html5_snmp) directly enables exploitation over the network, matching T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by validating Router_ID and Router_IP parameters against malicious payloads using defined tools and procedures.
Mandates identification, reporting, and correction of the specific SQL injection flaws in html5_snmp version 1.11.
Mitigates error-based SQL injection by suppressing discernible database error messages that could aid attackers.