CVE-2019-25470
Published: 11 March 2026
Summary
CVE-2019-25470 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2019-25470 is an authentication bypass vulnerability (CWE-798) affecting eWON Firmware versions 12.2 to 13.0. The flaw resides in the wsdReadForm endpoint, where attackers can retrieve sensitive user data, including encrypted passwords for all users. These passwords are protected only by a hardcoded XOR key, enabling straightforward decryption once obtained. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges, user interaction, or special conditions.
Remote attackers with network access to the affected device can exploit this vulnerability by sending crafted POST requests to the /wrcgi.bin/wsdReadForm endpoint. These requests include base64-encoded partial credentials and a manipulated wsdList parameter, bypassing authentication restrictions despite the description noting minimal privileges. Successful exploitation allows extraction of all user encrypted passwords, which can then be decrypted using the known hardcoded XOR key, potentially granting full administrative access if default or weak passwords are in use.
Advisories and additional details are available from the vendor at https://www.ewon.biz, a proof-of-concept exploit at https://www.exploit-db.com/exploits/47380, and a VulnCheck analysis at https://www.vulncheck.com/advisories/ewon-firmware-authentication-bypass-via-wsdreadform, which likely outline patching or mitigation recommendations for firmware upgrades beyond version 13.0.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19744
Vulnerability details
eWON Firmware versions 12.2 to 13.0 contain an authentication bypass vulnerability that allows attackers with minimal privileges to retrieve sensitive user data by exploiting the wsdReadForm endpoint. Attackers can send POST requests to /wrcgi.bin/wsdReadForm with base64-encoded partial credentials and a…
more
crafted wsdList parameter to extract encrypted passwords for all users, which can be decrypted using a hardcoded XOR key.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass on public-facing web endpoint (wsdReadForm) directly enables T1190; hardcoded XOR key for passwords enables T1552 unsecured credential access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the authentication bypass flaw in eWON firmware versions 12.2-13.0 directly prevents exploitation of the wsdReadForm endpoint to extract user passwords.
Enforcing approved access authorizations ensures the vulnerable endpoint rejects unauthorized POST requests with crafted parameters, blocking the bypass.
Validating and rejecting malformed base64-encoded credentials and crafted wsdList parameters in POST requests to wsdReadForm prevents the authentication bypass attack.