CVE-2019-19092 in eSOMS
Summary
by MITRE
ABB eSOMS versions 4.0 to 6.0.3 use ASP.NET Viewstate without Message Authentication Code (MAC). Alterations to Viewstate might thus not be noticed.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/09/2025
The vulnerability identified as CVE-2019-19092 affects ABB eSOMS versions 4.0 through 6.0.3, representing a critical security flaw in the web application framework's handling of ASP.NET Viewstate components. This issue stems from the absence of Message Authentication Code (MAC) verification within the Viewstate implementation, creating a fundamental weakness in the application's integrity protection mechanisms. The affected system utilizes ASP.NET's ViewState feature to maintain client-side state information, but fails to implement proper cryptographic validation that would detect tampering attempts. This omission allows attackers to manipulate the Viewstate data without detection, potentially leading to unauthorized access or privilege escalation within the application's security boundaries.
The technical flaw manifests in the improper configuration of ASP.NET's ViewState security settings where the application relies solely on ViewState encryption for protection rather than implementing both encryption and authentication. This configuration violates security best practices and creates a scenario where an attacker can modify the Viewstate content and observe the effects of their modifications without triggering any integrity validation failures. The absence of MAC validation means that even if an attacker successfully alters the Viewstate data, the application will not recognize the tampering and will continue processing the modified state as if it were legitimate. This vulnerability directly maps to CWE-319 - Cleartext Transmission of Sensitive Information and CWE-347 - Improper Verification of Cryptographic Signature, as it represents a failure to properly validate the integrity and authenticity of transmitted data.
The operational impact of this vulnerability extends beyond simple data manipulation, as it creates opportunities for attackers to exploit the application's trust in ViewState data integrity. An attacker who successfully modifies the Viewstate could potentially escalate privileges, gain unauthorized access to restricted functionality, or perform actions within the application that should be limited to authorized users. The vulnerability's severity is amplified by the fact that it affects multiple versions of the ABB eSOMS platform, suggesting a widespread exposure across installations that rely on this particular web framework configuration. This weakness undermines the application's security model by allowing state manipulation that should be protected against through proper cryptographic verification mechanisms.
Mitigation strategies for CVE-2019-19092 should focus on implementing proper ViewState MAC validation within the ASP.NET application configuration. The recommended approach involves configuring the application to use both encryption and authentication for ViewState data by setting the EnableViewStateMac property to true and ensuring proper machine key configuration for cryptographic operations. Security teams should also consider implementing additional defensive measures such as regular security scanning, monitoring for unauthorized ViewState modifications, and ensuring that all application components undergo proper security validation. Organizations should update to patched versions of ABB eSOMS where available, and implement network-level monitoring to detect potential exploitation attempts. The vulnerability's alignment with ATT&CK technique T1566 - Phishing and T1078 - Valid Accounts demonstrates how this weakness could be leveraged in broader attack campaigns targeting authenticated application access.