CVE-2019-25333
Published: 12 February 2026
Summary
CVE-2019-25333 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2019-25333 is a directory traversal vulnerability (CWE-22) in Bullwark Momentum Series JAWS 1.0. The flaw enables unauthenticated attackers to access system files outside the web root directory by manipulating HTTP request paths, specifically through crafted GET requests containing multiple '../' sequences.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no privileges or user interaction required. Successful exploitation allows reading of sensitive files, such as /etc/passwd, resulting in high confidentiality impact. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Advisories and related resources include the VulnCheck advisory at https://www.vulncheck.com/advisories/bullwark-momentum-series-jaws-momentum-series-jaws, a proof-of-concept exploit on Exploit-DB at https://www.exploit-db.com/exploits/47773, and an archived version of the vendor site at https://web.archive.org/web/20190729023518/http://www.bullwark.net/. The CVE was published on 2026-02-12T23:16:06.267.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19575
Vulnerability details
Bullwark Momentum Series JAWS 1.0 contains a directory traversal vulnerability that allows unauthenticated attackers to access system files by manipulating HTTP request paths. Attackers can exploit the vulnerability by sending crafted GET requests with multiple '../' sequences to read sensitive…
more
files like /etc/passwd outside the web root directory.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal in public web app directly enables remote file read (T1190) for local system data (T1005) including credentials in files (T1552.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of HTTP request paths to reject crafted inputs containing '../' sequences, preventing directory traversal exploitation.
Monitors and controls public access communications traffic at entry points to block unauthenticated remote requests exploiting the directory traversal vulnerability.
Enforces boundary protection at external interfaces using mechanisms like web application firewalls to filter and block malicious path traversal attempts.