CVE-2019-25352
Published: 18 February 2026
Summary
CVE-2019-25352 is a high-severity Path Traversal (CWE-22) vulnerability in Genivia (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).
Deeper analysis
Crystal Live HTTP Server version 6.01 is affected by CVE-2019-25352, a directory traversal vulnerability classified under CWE-22. This flaw enables remote attackers to access system files outside the web root by manipulating URL path segments, typically using multiple '../' sequences. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for user interaction, privileges, or special conditions.
Remote attackers can exploit this vulnerability over the network with low complexity and no authentication. By crafting malicious HTTP requests with directory traversal payloads, they can retrieve sensitive files, such as Windows system configuration files, potentially exposing critical information like credentials or system details.
References include a proof-of-concept exploit on Exploit-DB (ID 47666), a vulnerability advisory from VulnCheck detailing the path traversal issue in Crystal Live HTTP Server, the vendor site at genivia.com, and an archived page from crystalrs.com. No specific patch or mitigation details are outlined in the provided information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19644
Vulnerability details
Crystal Live HTTP Server 6.01 contains a directory traversal vulnerability that allows remote attackers to access system files by manipulating URL path segments. Attackers can use multiple '../' sequences to navigate outside the web root and retrieve sensitive configuration files…
more
like Windows system files.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal in public-facing web server directly enables remote file access (T1190) and retrieval of local system data/credentials (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates URL path inputs to block directory traversal sequences like '../', directly preventing unauthorized access to system files outside the web root.
Enforces approved access authorizations to restrict file system access to only the web root directory, mitigating traversal attempts.
Implements specific protections for public HTTP servers to prevent unauthorized disclosure of system files via manipulated URL paths.