CVE-2019-25470 in Firmware
Summary
by MITRE • 03/11/2026
eWON Firmware versions 12.2 to 13.0 contain an authentication bypass vulnerability that allows attackers with minimal privileges to retrieve sensitive user data by exploiting the wsdReadForm endpoint. Attackers can send POST requests to /wrcgi.bin/wsdReadForm with base64-encoded partial credentials and a crafted wsdList parameter to extract encrypted passwords for all users, which can be decrypted using a hardcoded XOR key.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/14/2026
The vulnerability identified as CVE-2019-25470 represents a critical authentication bypass flaw affecting eWON firmware versions 12.2 through 13.0. This issue resides within the web service interface of industrial network devices, specifically targeting the wsdReadForm endpoint that handles form processing operations. The flaw allows attackers with minimal privileges to circumvent the standard authentication mechanisms and access sensitive user information, creating a significant security risk for industrial control systems and network infrastructure. The vulnerability demonstrates a fundamental failure in access control implementation where the system fails to properly validate user credentials before granting access to sensitive data repositories.
The technical exploitation of this vulnerability leverages a specific endpoint /wrcgi.bin/wsdReadForm that accepts POST requests containing base64-encoded partial credentials combined with a crafted wsdList parameter. This parameter manipulation enables attackers to extract encrypted password information for all users within the system. The implementation flaw stems from insufficient input validation and inadequate session management controls that fail to properly authenticate requests before processing sensitive data retrieval operations. The vulnerability aligns with CWE-287 which addresses improper authentication issues, and represents a classic case of insufficient authorization checks that allow privilege escalation through malformed parameter manipulation.
The operational impact of this vulnerability extends beyond simple credential theft, as the extracted encrypted passwords can be decrypted using a hardcoded XOR key embedded within the firmware. This means that attackers can potentially gain unauthorized access to multiple user accounts and their associated privileges within the industrial network environment. The implications are particularly severe for industrial control systems where unauthorized access could lead to operational disruptions, data compromise, or even physical system manipulation. The vulnerability affects the integrity and confidentiality of user credentials, potentially enabling attackers to establish persistent access to critical industrial infrastructure.
Mitigation strategies for CVE-2019-25470 should focus on immediate firmware updates to versions that address the authentication bypass vulnerability. Organizations should implement network segmentation to isolate affected devices from critical infrastructure and apply network monitoring to detect anomalous POST requests to the vulnerable endpoint. Access controls should be strengthened through proper user privilege management and regular credential reviews. The implementation of intrusion detection systems can help identify attempts to exploit the wsdReadForm endpoint, while security audits should verify that no hardcoded cryptographic keys exist within firmware implementations. This vulnerability highlights the importance of secure coding practices and proper authentication mechanisms in industrial control systems, aligning with ATT&CK technique T1078 for valid accounts and T1566 for credential harvesting through exploitation of weak authentication mechanisms.