CVE-2019-25394
Published: 16 February 2026
Summary
CVE-2019-25394 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Smoothwall Smoothwall Express. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2019-25394 affects Smoothwall Express 3.1-SP4-polar-x86_64-update9 and consists of multiple stored cross-site scripting (XSS) vulnerabilities in the modem.cgi script. These flaws, classified under CWE-79, enable attackers to inject malicious scripts through POST parameters including INIT, HANGUP, SPEAKER_ON, SPEAKER_OFF, TONE_DIAL, and PULSE_DIAL. The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
Unauthenticated remote attackers (PR:N) can exploit the vulnerabilities over the network (AV:N) with low complexity (AC:L) by submitting crafted payloads via the vulnerable parameters. When administrators or other users retrieve and view the stored data through the web interface, the injected JavaScript executes in their browsers, potentially leading to low confidentiality and integrity impacts with a scope change (S:C).
Advisories and resources are available at the Smoothwall website (http://www.smoothwall.org), VulnCheck (https://www.vulncheck.com/advisories/smoothwall-express-modemcgi-cross-site-scripting), and a proof-of-concept exploit on Exploit-DB (https://www.exploit-db.com/exploits/46333).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19624
Vulnerability details
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple stored cross-site scripting vulnerabilities in the modem.cgi script that allow attackers to inject malicious scripts through POST parameters. Attackers can submit crafted payloads in parameters like INIT, HANGUP, SPEAKER_ON, SPEAKER_OFF, TONE_DIAL, and PULSE_DIAL to execute…
more
arbitrary JavaScript in users' browsers when the stored data is retrieved.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing web interface (modem.cgi) directly enables remote exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all POST parameters (INIT, HANGUP, etc.) in modem.cgi to reject XSS payloads before storage.
Requires filtering of stored data on output so that malicious scripts injected via modem.cgi are neutralized before rendering in user browsers.
Can block or alert on execution of the injected JavaScript payloads when the stored modem.cgi data is later retrieved and viewed.