Cyber Resilience

CVE-2019-25395

MediumPublic PoC

Published: 16 February 2026

Published
16 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 13.3th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25395 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Smoothwall Smoothwall Express. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2019-25395 affects Smoothwall Express 3.1-SP4-polar-x86_64-update9 and consists of multiple stored cross-site scripting (XSS) vulnerabilities, classified under CWE-79, in the preferences.cgi script. Attackers can inject malicious scripts through the HOSTNAME, KEYMAP, and OPENNESS parameters by submitting POST requests to preferences.cgi, causing the code to be stored and later executed in the browsers of users who access the preferences page.

Unauthenticated attackers with network access can exploit these vulnerabilities with low complexity and no user interaction required, as indicated by the CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N). Successful exploitation enables execution of arbitrary scripts in victims' browsers, potentially leading to session hijacking, data theft, or further compromise within the scoped context of the application.

Advisories and additional details on mitigation are documented in vendor resources at http://www.smoothwall.org, a proof-of-concept exploit at https://www.exploit-db.com/exploits/46333, and a dedicated advisory at https://www.vulncheck.com/advisories/smoothwall-express-preferencescgi-cross-site-scrip. Security practitioners should review these for patching instructions or workarounds specific to Smoothwall Express deployments.

A public proof-of-concept exploit is available, highlighting the vulnerability's exploitability in real-world scenarios.

EU & UK References

Vulnerability details

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple stored cross-site scripting vulnerabilities in the preferences.cgi script that allow attackers to inject malicious scripts through the HOSTNAME, KEYMAP, and OPENNESS parameters. Attackers can submit POST requests with script payloads to preferences.cgi to store malicious…

more

code that executes in the browsers of users accessing the preferences page.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Stored XSS in public-facing web app (preferences.cgi) directly enables T1190 exploitation; resulting arbitrary script execution in victim browsers facilitates T1185 session hijacking.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2019-25394Same product: Smoothwall Smoothwall Express
CVE-2019-25379Same product: Smoothwall Smoothwall Express
CVE-2026-1843Shared CWE-79
CVE-2026-42678Shared CWE-79
CVE-2023-49186Shared CWE-79
CVE-2025-22586Shared CWE-79
CVE-2026-1316Shared CWE-79
CVE-2025-23451Shared CWE-79
CVE-2026-34564Shared CWE-79
CVE-2025-23744Shared CWE-79

Affected Assets

smoothwall
smoothwall express
3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all inputs (HOSTNAME, KEYMAP, OPENNESS) to preferences.cgi, blocking the script payloads that enable stored XSS.

prevent

Requires filtering of information outputs on the preferences page so that stored malicious scripts cannot execute in user browsers.

preventdetect

Provides mechanisms to detect and block malicious code (the injected scripts) before or during execution in the web application context.

References