Cyber Resilience

CVE-2019-25333

HighPublic PoC

Published: 12 February 2026

Published
12 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0064 46.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25333 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2019-25333 is a directory traversal vulnerability (CWE-22) in Bullwark Momentum Series JAWS 1.0. The flaw enables unauthenticated attackers to access system files outside the web root directory by manipulating HTTP request paths, specifically through crafted GET requests containing multiple '../' sequences.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no privileges or user interaction required. Successful exploitation allows reading of sensitive files, such as /etc/passwd, resulting in high confidentiality impact. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Advisories and related resources include the VulnCheck advisory at https://www.vulncheck.com/advisories/bullwark-momentum-series-jaws-momentum-series-jaws, a proof-of-concept exploit on Exploit-DB at https://www.exploit-db.com/exploits/47773, and an archived version of the vendor site at https://web.archive.org/web/20190729023518/http://www.bullwark.net/. The CVE was published on 2026-02-12T23:16:06.267.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Bullwark Momentum Series JAWS 1.0 contains a directory traversal vulnerability that allows unauthenticated attackers to access system files by manipulating HTTP request paths. Attackers can exploit the vulnerability by sending crafted GET requests with multiple '../' sequences to read sensitive…

more

files like /etc/passwd outside the web root directory.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Directory traversal in public web app directly enables remote file read (T1190) for local system data (T1005) including credentials in files (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-36939Shared CWE-22
CVE-2026-26217Shared CWE-22
CVE-2026-27305Shared CWE-22
CVE-2022-50992Shared CWE-22
CVE-2026-30952Shared CWE-22
CVE-2026-32847Shared CWE-22
CVE-2026-6227Shared CWE-22
CVE-2026-30976Shared CWE-22
CVE-2025-10897Shared CWE-22
CVE-2026-30403Shared CWE-22

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of HTTP request paths to reject crafted inputs containing '../' sequences, preventing directory traversal exploitation.

preventdetect

Monitors and controls public access communications traffic at entry points to block unauthenticated remote requests exploiting the directory traversal vulnerability.

preventdetect

Enforces boundary protection at external interfaces using mechanisms like web application firewalls to filter and block malicious path traversal attempts.

References