CVE-2019-25400 in IPFire
Summary
by MITRE • 02/19/2026
IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the fwhosts.cgi script that allow attackers to inject malicious scripts through multiple parameters including HOSTNAME, IP, SUBNET, NETREMARK, HOSTREMARK, newhost, grp_name, remark, SRV_NAME, SRV_PORT, SRVGRP_NAME, SRVGRP_REMARK, and updatesrvgrp. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated users' browsers.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/27/2026
The vulnerability CVE-2019-25400 represents a critical reflected cross-site scripting flaw discovered in IPFire version 2.21 Core Update 127 within the fwhosts.cgi web interface script. This vulnerability stems from insufficient input validation and output encoding mechanisms that fail to properly sanitize user-supplied data before incorporating it into dynamically generated web pages. The affected parameters span across multiple host and service configuration fields including HOSTNAME, IP, SUBNET, NETREMARK, HOSTREMARK, newhost, grp_name, remark, SRV_NAME, SRV_PORT, SRVGRP_NAME, SRVGRP_REMARK, and updatesrvgrp, creating numerous attack vectors for malicious actors. The vulnerability is classified under CWE-79 as a classic reflected cross-site scripting weakness where malicious scripts are injected into web applications through user input fields that are then reflected back to users without proper sanitization.
The operational impact of this vulnerability is severe as it allows authenticated attackers to execute arbitrary JavaScript code within the context of other users' browsers, potentially leading to session hijacking, privilege escalation, or data exfiltration. Attackers can craft POST requests containing malicious script payloads that exploit these input fields, causing the web application to reflect the malicious code back to authenticated users who visit the affected pages. This creates a persistent threat vector where compromised users' browsers become attack vectors themselves, enabling attackers to access sensitive network configuration data, modify firewall rules, or perform unauthorized administrative actions. The vulnerability particularly affects the IPFire firewall management interface, which is commonly accessed by network administrators and security personnel, making it a prime target for targeted attacks.
The attack surface extends beyond simple script execution as this vulnerability can be leveraged to bypass security controls and escalate privileges within the network infrastructure. According to ATT&CK framework, this vulnerability maps to T1059.007 for scripting and T1566.001 for spearphishing with attachments, as attackers can use the reflected XSS to deliver malicious payloads that persist in the web application's interface. The vulnerability also aligns with T1071.004 for application layer protocol and T1190 for exploit public-facing application, demonstrating how web-based attacks can compromise network security devices. Organizations using IPFire for network security management face significant risk as attackers can exploit this vulnerability to gain unauthorized access to firewall configurations, potentially leading to complete network compromise.
Mitigation strategies should focus on implementing robust input validation and output encoding mechanisms throughout the application's web interface. The primary defense involves sanitizing all user-supplied input parameters before processing or displaying them in web responses, with a particular emphasis on the vulnerable parameters identified in the affected script. Network administrators should immediately apply the vendor-provided security patches and updates for IPFire 2.21 Core Update 127 to address this vulnerability. Additionally, implementing Content Security Policy headers, disabling unnecessary input fields, and conducting regular security audits of web applications can significantly reduce the risk of exploitation. The implementation of web application firewalls and regular penetration testing can provide additional layers of protection against similar vulnerabilities in network security infrastructure. Organizations should also consider implementing user access controls and monitoring for suspicious activities within the firewall management interface to detect potential exploitation attempts.