CVE-2019-25382 in Express
Summary
by MITRE • 02/16/2026
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the NTP_SERVER parameter. Attackers can send POST requests to the time.cgi endpoint with script payloads in the NTP_SERVER parameter to execute arbitrary JavaScript in users' browsers.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/18/2026
The vulnerability identified as CVE-2019-25382 resides within Smoothwall Express version 3.1-SP4-polar-x86_64-update9, a network security appliance designed for firewall and routing functions. This particular flaw represents a reflected cross-site scripting vulnerability that fundamentally compromises the integrity of user sessions and browser environments. The issue manifests through the time.cgi endpoint which fails to properly sanitize input parameters, specifically the NTP_SERVER parameter that controls Network Time Protocol server configurations. This vulnerability falls under CWE-79 which categorizes cross-site scripting flaws as a critical weakness in web application security, particularly when attackers can manipulate parameters without authentication requirements.
The technical exploitation of this vulnerability occurs through a straightforward yet dangerous mechanism where unauthenticated attackers can craft malicious POST requests to the time.cgi endpoint. When the NTP_SERVER parameter contains script payloads, the application reflects this input back to users' browsers without adequate sanitization or encoding. This reflection creates an environment where malicious JavaScript code can execute within the context of legitimate user sessions, potentially leading to session hijacking, credential theft, or redirection to malicious sites. The vulnerability specifically targets the parameter handling within the time configuration interface, making it particularly dangerous as it could be exploited during routine system administration tasks or even automated attacks.
The operational impact of CVE-2019-25382 extends beyond simple script execution, as it enables attackers to manipulate the security posture of the affected network appliance. Users who interact with the Smoothwall Express web interface become potential victims of this reflected XSS attack, as their browsers execute the malicious scripts that are reflected back from the vulnerable endpoint. The attack requires no authentication, making it particularly dangerous for network administrators who might unknowingly trigger the exploit while managing the system. This vulnerability could facilitate more sophisticated attacks such as credential harvesting, where attackers collect login information from users who might be performing administrative tasks on the appliance. The reflected nature of the vulnerability means that successful exploitation could occur across multiple users simultaneously, amplifying the potential damage.
Mitigation strategies for CVE-2019-25382 should focus on input validation and output encoding practices that align with industry standards such as those recommended by the Open Web Application Security Project. Implementing proper parameter sanitization within the time.cgi endpoint would address the root cause by ensuring that all user-supplied input is properly validated and encoded before being reflected back to browsers. Network administrators should consider applying the vendor-provided patches or updates that specifically address this vulnerability, as the Smoothwall Express platform has likely released remediation measures. Additionally, implementing web application firewalls and security monitoring solutions can help detect and prevent exploitation attempts targeting this specific vulnerability. The ATT&CK framework categorizes this type of vulnerability under T1059.007 for scripting and T1566 for phishing, making it a critical target for defensive measures that include both application-level hardening and network-based detection capabilities.