Cyber Resilience

CVE-2019-25422

MediumPublic PoC

Published: 19 February 2026

Published
19 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 6.3th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25422 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Comodo Dome Firewall. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

Comodo Dome Firewall version 2.7.0 contains cross-site scripting vulnerabilities (CWE-79) in the vpnfw endpoint. These flaws allow attackers to inject malicious scripts via POST requests, enabling reflected XSS through the target parameter or stored XSS through the remark parameter. The issues result in the execution of arbitrary JavaScript code within the browsers of administrators, with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

Remote attackers with network access can exploit these vulnerabilities without authentication privileges. By submitting crafted POST requests containing script payloads to the vpnfw endpoint, they can trigger JavaScript execution in an administrator's browser, potentially compromising sensitive data or performing unauthorized actions within the administrative context.

Advisories detail the vulnerabilities, including a proof-of-concept exploit published on Exploit-DB at https://www.exploit-db.com/exploits/46408 and a Vulncheck advisory at https://www.vulncheck.com/advisories/comodo-dome-firewall-cross-site-scripting-via-vpnfw. Additional references include Comodo product pages at https://cdome.comodo.com/firewall/ and https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9278&af=9278.

EU & UK References

Vulnerability details

Comodo Dome Firewall 2.7.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through the vpnfw endpoint. Attackers can submit POST requests with script payloads in the target parameter for reflected XSS or the remark parameter for stored…

more

XSS to execute arbitrary JavaScript in administrator browsers.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

XSS in public-facing firewall admin interface directly enables exploitation of a public-facing application to execute arbitrary code in admin context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2019-25405Same product: Comodo Dome Firewall
CVE-2019-25419Same product: Comodo Dome Firewall
CVE-2021-47873Shared CWE-79
CVE-2026-7052Shared CWE-79
CVE-2024-56060Shared CWE-79
CVE-2025-49043Shared CWE-79
CVE-2026-40038Shared CWE-79
CVE-2024-56022Shared CWE-79
CVE-2025-68889Shared CWE-79
CVE-2026-1074Shared CWE-79

Affected Assets

comodo
dome firewall
≤ 2.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of all inputs to the vpnfw endpoint (target/remark parameters) to reject script payloads before they are processed or stored.

prevent

Mandates output filtering/encoding of administrative web responses so that any injected script from stored or reflected XSS is neutralized before reaching the browser.

preventdetect

Provides malicious-code inspection and filtering capabilities that can be configured to detect and block common XSS patterns at the web interface boundary.

References