CVE-2019-25343
Published: 12 February 2026
Summary
CVE-2019-25343 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Vm3Max (inferred from references). Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Services File Permissions Weakness (T1574.010); ranked at the 1.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2019-25343 is an insecure file permissions vulnerability (CWE-732) in NextVPN 4.10. The flaw allows local users to modify executable files that grant full access rights, enabling unauthorized alterations to system executables.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N). By replacing legitimate system executables with malicious ones, the attacker can achieve privilege escalation to SYSTEM or Administrator levels, resulting in high impacts to confidentiality, integrity, and availability (CVSS:3.1 score of 7.8).
Advisories from VulnCheck detail the insecure file permissions issue in NextVPN, while Exploit-DB hosts an exploit at https://www.exploit-db.com/exploits/47831. Security practitioners should review these references, including https://www.vulncheck.com/advisories/nextvpn-insecure-file-permissions and https://vm3max.site, for mitigation guidance and patch information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19481
Vulnerability details
NextVPN 4.10 contains an insecure file permissions vulnerability that allows local users to modify executable files with full access rights. Attackers can replace system executables with malicious files to gain SYSTEM or Administrator privileges through unauthorized file modification.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insecure file permissions (CWE-732) on executables directly enables local privilege escalation by allowing replacement of system binaries.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Prevents unauthorized modification of executable programs, directly mitigating the insecure file permissions that allow replacement of system executables with malicious ones.
Mandates secure configuration settings including restrictive file permissions on executables to prevent low-privileged local users from modifying them.
Enforces least privilege to restrict low-privileged local users from accessing or modifying critical system executables.