CVE-2019-25395
Published: 16 February 2026
Summary
CVE-2019-25395 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Smoothwall Smoothwall Express. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2019-25395 affects Smoothwall Express 3.1-SP4-polar-x86_64-update9 and consists of multiple stored cross-site scripting (XSS) vulnerabilities, classified under CWE-79, in the preferences.cgi script. Attackers can inject malicious scripts through the HOSTNAME, KEYMAP, and OPENNESS parameters by submitting POST requests to preferences.cgi, causing the code to be stored and later executed in the browsers of users who access the preferences page.
Unauthenticated attackers with network access can exploit these vulnerabilities with low complexity and no user interaction required, as indicated by the CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N). Successful exploitation enables execution of arbitrary scripts in victims' browsers, potentially leading to session hijacking, data theft, or further compromise within the scoped context of the application.
Advisories and additional details on mitigation are documented in vendor resources at http://www.smoothwall.org, a proof-of-concept exploit at https://www.exploit-db.com/exploits/46333, and a dedicated advisory at https://www.vulncheck.com/advisories/smoothwall-express-preferencescgi-cross-site-scrip. Security practitioners should review these for patching instructions or workarounds specific to Smoothwall Express deployments.
A public proof-of-concept exploit is available, highlighting the vulnerability's exploitability in real-world scenarios.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19622
Vulnerability details
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple stored cross-site scripting vulnerabilities in the preferences.cgi script that allow attackers to inject malicious scripts through the HOSTNAME, KEYMAP, and OPENNESS parameters. Attackers can submit POST requests with script payloads to preferences.cgi to store malicious…
more
code that executes in the browsers of users accessing the preferences page.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing web app (preferences.cgi) directly enables T1190 exploitation; resulting arbitrary script execution in victim browsers facilitates T1185 session hijacking.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all inputs (HOSTNAME, KEYMAP, OPENNESS) to preferences.cgi, blocking the script payloads that enable stored XSS.
Requires filtering of information outputs on the preferences page so that stored malicious scripts cannot execute in user browsers.
Provides mechanisms to detect and block malicious code (the injected scripts) before or during execution in the web application context.