Cyber Resilience

CVE-2019-25352

HighPublic PoC

Published: 18 February 2026

Published
18 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0076 50.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25352 is a high-severity Path Traversal (CWE-22) vulnerability in Genivia (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).

Deeper analysis

Crystal Live HTTP Server version 6.01 is affected by CVE-2019-25352, a directory traversal vulnerability classified under CWE-22. This flaw enables remote attackers to access system files outside the web root by manipulating URL path segments, typically using multiple '../' sequences. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for user interaction, privileges, or special conditions.

Remote attackers can exploit this vulnerability over the network with low complexity and no authentication. By crafting malicious HTTP requests with directory traversal payloads, they can retrieve sensitive files, such as Windows system configuration files, potentially exposing critical information like credentials or system details.

References include a proof-of-concept exploit on Exploit-DB (ID 47666), a vulnerability advisory from VulnCheck detailing the path traversal issue in Crystal Live HTTP Server, the vendor site at genivia.com, and an archived page from crystalrs.com. No specific patch or mitigation details are outlined in the provided information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Crystal Live HTTP Server 6.01 contains a directory traversal vulnerability that allows remote attackers to access system files by manipulating URL path segments. Attackers can use multiple '../' sequences to navigate outside the web root and retrieve sensitive configuration files…

more

like Windows system files.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Directory traversal in public-facing web server directly enables remote file access (T1190) and retrieval of local system data/credentials (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66687Shared CWE-22
CVE-2025-26753Shared CWE-22
CVE-2025-44177Shared CWE-22
CVE-2023-42226Shared CWE-22
CVE-2026-39859Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2025-8343Shared CWE-22
CVE-2026-23939Shared CWE-22
CVE-2025-27098Shared CWE-22
CVE-2025-69411Shared CWE-22

Affected Assets

Genivia
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates URL path inputs to block directory traversal sequences like '../', directly preventing unauthorized access to system files outside the web root.

prevent

Enforces approved access authorizations to restrict file system access to only the web root directory, mitigating traversal attempts.

prevent

Implements specific protections for public HTTP servers to prevent unauthorized disclosure of system files via manipulated URL paths.

References