Cyber Posture

CVE-2019-25343

HighPublic PoCLPE

Published: 12 February 2026

Published
12 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 2.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25343 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Vm3Max (inferred from references). Its CVSS base score is 7.8 (High).

Operationally, ranked at the 2.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-34 Non-modifiable Executable Programs good match
prevent

Prevents unauthorized modification of executable programs, directly mitigating the insecure file permissions that allow replacement of system executables with malicious ones.

CM-6 Configuration Settings good match
prevent

Mandates secure configuration settings including restrictive file permissions on executables to prevent low-privileged local users from modifying them.

AC-6 Least Privilege good match
prevent

Enforces least privilege to restrict low-privileged local users from accessing or modifying critical system executables.

NVD Description

NextVPN 4.10 contains an insecure file permissions vulnerability that allows local users to modify executable files with full access rights. Attackers can replace system executables with malicious files to gain SYSTEM or Administrator privileges through unauthorized file modification.

Deeper analysisAI

CVE-2019-25343 is an insecure file permissions vulnerability (CWE-732) in NextVPN 4.10. The flaw allows local users to modify executable files that grant full access rights, enabling unauthorized alterations to system executables.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N). By replacing legitimate system executables with malicious ones, the attacker can achieve privilege escalation to SYSTEM or Administrator levels, resulting in high impacts to confidentiality, integrity, and availability (CVSS:3.1 score of 7.8).

Advisories from VulnCheck detail the insecure file permissions issue in NextVPN, while Exploit-DB hosts an exploit at https://www.exploit-db.com/exploits/47831. Security practitioners should review these references, including https://www.vulncheck.com/advisories/nextvpn-insecure-file-permissions and https://vm3max.site, for mitigation guidance and patch information.

Details

CWE(s)
CWE-732

Affected Products

Vm3Max
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2024-38337Shared CWE-732
CVE-2025-0064Shared CWE-732
CVE-2026-24834Shared CWE-732
CVE-2025-1067Shared CWE-732
CVE-2026-26102Shared CWE-732
CVE-2025-0066Shared CWE-732
CVE-2025-33088Shared CWE-732
CVE-2025-12985Shared CWE-732
CVE-2025-21325Shared CWE-732
CVE-2024-57068Shared CWE-732

References