CVE-2019-25465
Published: 11 March 2026
Summary
CVE-2019-25465 is a high-severity Password in Configuration File (CWE-260) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 39.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).
Deeper analysis
Hisilicon HiIpcam V100R003 is affected by CVE-2019-25465, a directory traversal vulnerability (CWE-260) in the cgi-bin directory that enables directory listing. This flaw allows unauthenticated attackers to access sensitive configuration files, including through the getadslattr.cgi endpoint, which exposes ADSL credentials and network configuration parameters such as usernames, passwords, and DNS settings. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability disruption.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By sending crafted requests to the vulnerable endpoint, attackers gain unauthorized access to configuration data, potentially enabling further network reconnaissance, credential reuse, or lateral movement within the target's infrastructure.
Advisories from VulnCheck detail the information disclosure via directory traversal, while Exploit-DB hosts a proof-of-concept exploit (ID 47405) demonstrating the issue. No patch or mitigation details are specified in available references.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19736
Vulnerability details
Hisilicon HiIpcam V100R003 contains a directory traversal vulnerability that allows unauthenticated attackers to access sensitive configuration files by exploiting directory listing in the cgi-bin directory. Attackers can request the getadslattr.cgi endpoint to retrieve ADSL credentials and network configuration parameters including…
more
usernames, passwords, and DNS settings.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal enables direct file/directory access and exposure of credentials in config files on a public-facing device.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates inputs to vulnerable CGI endpoints like getadslattr.cgi to block directory traversal sequences accessing sensitive configuration files.
Enforces logical access controls to prevent unauthenticated attackers from reaching sensitive files through cgi-bin directory traversal.
Mandates secure web server configuration settings to disable directory listing and restrict access to endpoints exposing ADSL credentials and network parameters.