Cyber Posture

CVE-2019-25249

CriticalPublic PoC

Published: 24 December 2025

Published
24 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

devolo dLAN 500 AV Wireless+ 3.1.0-1 contains an authentication bypass vulnerability that allows attackers to enable hidden services through the htmlmgr CGI script. Attackers can enable telnet and remote shell services, reboot the device, and gain root access without a…

more

password by manipulating system configuration parameters.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for access to system resources, directly preventing the htmlmgr CGI script's authentication bypass that allows unauthorized configuration manipulation and root access.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Limits permitted actions without identification or authentication, prohibiting sensitive operations like enabling telnet, remote shells, or reboots via the vulnerable CGI endpoint.

SI-2 Flaw Remediation good match
prevent

Identifies, reports, and remediates the specific authentication bypass flaw in the devolo firmware, eliminating the vulnerability at its source.

Security SummaryAI

CVE-2019-25249 is an authentication bypass vulnerability affecting the devolo dLAN 500 AV Wireless+ firmware version 3.1.0-1. The flaw exists in the htmlmgr CGI script, which allows attackers to manipulate system configuration parameters without authentication. This enables the activation of hidden services, including telnet and remote shell access, device reboots, and escalation to root privileges. The vulnerability is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-266 (Incorrect Privilege Assignment for Critical Resource).

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. By sending crafted requests to the htmlmgr CGI endpoint, adversaries can enable insecure services like telnet and remote shells, leading to full root access without a password. This grants complete control over the device, including configuration changes, data extraction, and potential pivoting to other network assets.

Advisories and related resources include the vendor site at https://www.devolo.com, an exploit at https://www.exploit-db.com/exploits/46325, and a vulnerability report from Zero Science Labs at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5508.php. These references document the issue but do not specify patch availability or mitigation steps in the provided details.

Details

CWE(s)
CWE-266

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1543.003 Windows Service Persistence
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.
attack.mitre.org →
T1021 Remote Services Lateral Movement
Adversaries may use [Valid Accounts](https://attack.
attack.mitre.org →
T1529 System Shutdown/Reboot Impact
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
attack.mitre.org →
Why these techniques?

Auth bypass in public-facing CGI script enables T1190 exploitation; grants root access (T1068); allows modifying/enabling hidden remote services like telnet/shell (T1031, T1021); supports device reboot (T1529).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References