CVE-2019-25235

CriticalPublic PoC

Published: 24 December 2025

Published

24 December 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0037 58.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Smartwares HOME easy 1.0.9 contains an authentication bypass vulnerability that allows unauthenticated attackers to access administrative web pages by disabling JavaScript. Attackers can navigate to multiple administrative endpoints and to bypass client-side validation and access sensitive system information.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces server-side approved authorizations for access to administrative web pages, preventing bypass of client-side JavaScript validation.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Explicitly identifies and restricts actions performable without identification or authentication, prohibiting unauthorized access to sensitive admin endpoints.

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Requires identification and authentication for non-organizational users or attackers accessing administrative functions over the network.

Security SummaryAI

CVE-2019-25235 is an authentication bypass vulnerability (CWE-639) in Smartwares HOME easy version 1.0.9. The flaw enables unauthenticated attackers to access administrative web pages by disabling JavaScript, thereby bypassing client-side validation. This critical issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting high confidentiality, integrity, and availability impacts.

Unauthenticated remote attackers can exploit the vulnerability over the network with low complexity and no privileges or user interaction required, per the CVSS vector. By disabling JavaScript, attackers can directly navigate to multiple administrative endpoints and retrieve sensitive system information.

Advisories and further details are available from Zero Science Lab (ZSL-2019-5540 at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5540.php) and the vendor site (https://www.smartwares.eu). A proof-of-concept exploit is published on Exploit-DB (https://www.exploit-db.com/exploits/47595).

Details

CWE(s): CWE-639

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an authentication bypass in a public-facing web application, enabling unauthenticated remote attackers to access administrative endpoints, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/47595
disclosure@vulncheck.com
https://www.smartwares.eu
disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5540.php
disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5540.php
134c704f-9b21-4f2e-91b3-4a467353bcc0