Cyber Resilience

CVE-2019-25394

MediumPublic PoC

Published: 16 February 2026

Published
16 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 13.3th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25394 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Smoothwall Smoothwall Express. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2019-25394 affects Smoothwall Express 3.1-SP4-polar-x86_64-update9 and consists of multiple stored cross-site scripting (XSS) vulnerabilities in the modem.cgi script. These flaws, classified under CWE-79, enable attackers to inject malicious scripts through POST parameters including INIT, HANGUP, SPEAKER_ON, SPEAKER_OFF, TONE_DIAL, and PULSE_DIAL. The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

Unauthenticated remote attackers (PR:N) can exploit the vulnerabilities over the network (AV:N) with low complexity (AC:L) by submitting crafted payloads via the vulnerable parameters. When administrators or other users retrieve and view the stored data through the web interface, the injected JavaScript executes in their browsers, potentially leading to low confidentiality and integrity impacts with a scope change (S:C).

Advisories and resources are available at the Smoothwall website (http://www.smoothwall.org), VulnCheck (https://www.vulncheck.com/advisories/smoothwall-express-modemcgi-cross-site-scripting), and a proof-of-concept exploit on Exploit-DB (https://www.exploit-db.com/exploits/46333).

EU & UK References

Vulnerability details

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple stored cross-site scripting vulnerabilities in the modem.cgi script that allow attackers to inject malicious scripts through POST parameters. Attackers can submit crafted payloads in parameters like INIT, HANGUP, SPEAKER_ON, SPEAKER_OFF, TONE_DIAL, and PULSE_DIAL to execute…

more

arbitrary JavaScript in users' browsers when the stored data is retrieved.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stored XSS in public-facing web interface (modem.cgi) directly enables remote exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2019-25395Same product: Smoothwall Smoothwall Express
CVE-2019-25379Same product: Smoothwall Smoothwall Express
CVE-2021-47873Shared CWE-79
CVE-2026-7052Shared CWE-79
CVE-2024-56060Shared CWE-79
CVE-2025-49043Shared CWE-79
CVE-2026-40038Shared CWE-79
CVE-2024-56022Shared CWE-79
CVE-2025-68889Shared CWE-79
CVE-2026-1074Shared CWE-79

Affected Assets

smoothwall
smoothwall express
3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all POST parameters (INIT, HANGUP, etc.) in modem.cgi to reject XSS payloads before storage.

prevent

Requires filtering of stored data on output so that malicious scripts injected via modem.cgi are neutralized before rendering in user browsers.

preventdetect

Can block or alert on execution of the injected JavaScript payloads when the stored modem.cgi data is later retrieved and viewed.

References