CVE-2019-25342
Published: 12 February 2026
Summary
CVE-2019-25342 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Centova Cast (inferred from references). Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 21.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2019-25342 is a denial-of-service vulnerability affecting Centova Cast version 3.2.12. The flaw enables attackers to overwhelm the system by repeatedly invoking the database export API endpoint at /api.php with crafted parameters, resulting in 100% CPU load. It is associated with CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Remote attackers can exploit this vulnerability without authentication or user interaction, as it requires only network access and low complexity. By sending multiple concurrent requests to the vulnerable endpoint, attackers achieve a denial of service, severely impacting system availability through resource exhaustion.
Advisories and related resources, including the vendor site at https://centova.com, an exploit proof-of-concept at https://www.exploit-db.com/exploits/47677, and a detailed advisory at https://www.vulncheck.com/advisories/centova-cast-denial-of-service, provide further guidance on detection, mitigation, and potential patches for affected Centova Cast deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19578
Vulnerability details
Centova Cast 3.2.12 contains a denial of service vulnerability that allows attackers to overwhelm the system by repeatedly calling the database export API endpoint. Attackers can trigger 100% CPU load by sending multiple concurrent requests to the /api.php endpoint with…
more
crafted parameters.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct mapping to application exploitation for endpoint DoS via unauthenticated API abuse causing resource exhaustion.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-5 directly mandates safeguards to protect against denial-of-service events like the resource exhaustion from repeated concurrent requests to the vulnerable API endpoint.
SC-6 enforces resource allocation quotas to prevent CPU overload and 100% utilization caused by unlimited database export API calls.
SI-9 restricts quantities of information inputs from external sources, mitigating excessive requests to the /api.php endpoint.