Cyber Posture

CVE-2019-25241

CriticalPublic PoC

Published: 24 December 2025

Published
24 December 2025
Modified
31 December 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0049 65.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

FaceSentry Access Control System 6.4.8 contains a critical authentication vulnerability with hard-coded SSH credentials for the wwwuser account. Attackers can leverage the insecure sudoers configuration to escalate privileges and gain root access by executing sudo commands without authentication.

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

Directly mandates changing default authenticators and protecting them from unauthorized disclosure, preventing exploitation of hard-coded SSH credentials for the wwwuser account.

AC-6 Least Privilege good match
prevent

Enforces least privilege to restrict the wwwuser account from executing sudo commands without authentication, blocking privilege escalation to root.

CM-6 Configuration Settings good match
prevent

Requires secure configuration settings for system components like sudoers files, mitigating the insecure configuration that allows unauthenticated privilege escalation.

Security SummaryAI

CVE-2019-25241 is a critical authentication vulnerability in FaceSentry Access Control System version 6.4.8, stemming from hard-coded SSH credentials for the wwwuser account. This issue is exacerbated by an insecure sudoers configuration that permits privilege escalation to root access through sudo commands executed without authentication. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-798 (Use of Hard-coded Credentials). It was published on 2025-12-24.

The attack scenario enables remote attackers requiring no privileges, user interaction, or special access to exploit the flaw over the network with low complexity. An attacker can authenticate via SSH using the hard-coded wwwuser credentials, then execute sudo commands unrestricted by authentication to escalate to root privileges, resulting in high-impact compromise of confidentiality, integrity, and availability on the affected system.

Advisories and resources detailing the vulnerability include the vendor site at http://www.iwt.com.hk, an exploit at https://www.exploit-db.com/exploits/47067, and Zero Science's analysis at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5526.php. These references provide further technical details on the issue, though specific patch or mitigation instructions are not detailed in the CVE description.

Details

CWE(s)
CWE-798

Affected Products

iwt
facesentry access control system firmware
5.7.0, 5.7.2, 6.4.8

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
attack.mitre.org →
T1548.003 Sudo and Sudo Caching Privilege Escalation
Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges.
attack.mitre.org →
T1021.004 SSH Lateral Movement
Adversaries may use [Valid Accounts](https://attack.
attack.mitre.org →
Why these techniques?

Hard-coded SSH credentials enable use of default/valid accounts (T1078.001) via external remote services like SSH (T1133, T1021.004); insecure sudoers allows privilege escalation (T1548.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References