CVE-2019-25392 in Express
Summary
by MITRE • 02/16/2026
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the IP parameter. Attackers can send POST requests to the iptools.cgi endpoint with script payloads in the IP parameter to execute arbitrary JavaScript in victim browsers.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/20/2026
The vulnerability identified as CVE-2019-25392 resides within Smoothwall Express 3.1-SP4-polar-x86_64-update9, a network security appliance designed for firewall and routing functions. This system employs a web-based management interface that processes user input through the iptools.cgi endpoint, creating an attack surface where improperly validated parameters can be exploited. The specific flaw manifests when the IP parameter is passed through HTTP requests without adequate sanitization or output encoding, allowing malicious actors to inject harmful script code that gets reflected back to unsuspecting users.
The technical implementation of this cross-site scripting vulnerability follows the classic reflected XSS pattern where attacker-controlled data flows directly from user input through the application's processing logic and back to the user's browser. The IP parameter in the iptools.cgi endpoint serves as the injection vector, accepting arbitrary input that is subsequently rendered in the web response without proper HTML escaping or context-aware encoding. This allows an attacker to craft malicious POST requests containing JavaScript payloads that execute within the victim's browser context when the reflected content is displayed.
From an operational perspective, this vulnerability presents a significant risk to organizations relying on Smoothwall Express for network security. The unauthenticated nature of the attack means that any user with access to the web interface can exploit this flaw without requiring prior credentials or privileged access. The reflected nature of the vulnerability means that successful exploitation can occur through social engineering techniques such as phishing emails or compromised websites that direct users to malicious URLs containing the XSS payload. The attack can result in session hijacking, credential theft, redirection to malicious sites, or the execution of arbitrary commands within the victim's browser context.
The vulnerability aligns with CWE-79 which categorizes cross-site scripting flaws as weaknesses in input validation and output encoding. This specific implementation also maps to ATT&CK technique T1566.001 for initial access through spearphishing attachments or links, and T1566.002 for spearphishing via email. Organizations should implement immediate mitigations including input validation on all parameters passed to the iptools.cgi endpoint, output encoding of all user-supplied data, and the implementation of Content Security Policy headers. The most effective long-term solution involves upgrading to a patched version of Smoothwall Express or implementing web application firewalls that can detect and block malicious payloads targeting this specific vulnerability.