Cyber Resilience

CVE-2019-25379

MediumPublic PoC

Published: 16 February 2026

Published
16 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0005 14.9th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25379 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Smoothwall Smoothwall Express. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2019-25379 is a stored and reflected cross-site scripting (XSS) vulnerability (CWE-79) affecting Smoothwall Express version 3.1-SP4-polar-x86_64-update9, specifically in the urlfilter.cgi endpoint. The flaw allows attackers to inject malicious scripts by submitting POST requests containing script payloads in the REDIRECT_PAGE or CHILDREN parameters. It has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating network accessibility, low attack complexity, no privileges or user interaction required, and a change in scope with low impacts to confidentiality and integrity.

Unauthenticated remote attackers can exploit this vulnerability to execute arbitrary JavaScript in the browsers of users accessing the affected Smoothwall Express interface. By crafting POST requests with malicious payloads, attackers can achieve reflected XSS for immediate execution upon submission or stored XSS for persistence, potentially leading to session hijacking, data theft, or further phishing attacks against administrative users.

Advisories and references, including those from Vulncheck and the Smoothwall website, detail the vulnerability, while a proof-of-concept exploit is available on Exploit-DB (ID 46333). No specific patch or mitigation details are outlined in the provided information, but security practitioners should consult these sources for updates and apply vendor-recommended fixes to the urlfilter.cgi endpoint. A public PoC indicates potential for real-world exploitation.

EU & UK References

Vulnerability details

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains stored and reflected cross-site scripting vulnerabilities in the urlfilter.cgi endpoint that allow attackers to inject malicious scripts. Attackers can submit POST requests with script payloads in the REDIRECT_PAGE or CHILDREN parameters to execute arbitrary JavaScript in…

more

user browsers.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

XSS enables browser session hijacking via arbitrary JS execution for cookie theft or account takeover on the web UI.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2019-25395Same product: Smoothwall Smoothwall Express
CVE-2019-25394Same product: Smoothwall Smoothwall Express
CVE-2025-25203Shared CWE-79
CVE-2025-67959Shared CWE-79
CVE-2025-68835Shared CWE-79
CVE-2026-32118Shared CWE-79
CVE-2025-24617Shared CWE-79
CVE-2026-30934Shared CWE-79
CVE-2026-24833Shared CWE-79
CVE-2024-56038Shared CWE-79

Affected Assets

smoothwall
smoothwall express
3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted inputs (REDIRECT_PAGE/CHILDREN parameters) to block script injection into urlfilter.cgi.

prevent

Requires filtering of information outputs to remove or neutralize malicious scripts before they reach user browsers in stored or reflected XSS scenarios.

preventdetect

Provides malicious-code detection and blocking mechanisms that can identify and stop injected JavaScript payloads at the application boundary.

References