CVE-2019-25472 in Telefone IP TIP 200
Summary
by MITRE • 03/11/2026
IntelBras Telefone IP TIP200 and 200 LITE contain an unauthenticated arbitrary file read vulnerability in the dumpConfigFile function accessible via the cgiServer.exx endpoint. Attackers can send GET requests to /cgi-bin/cgiServer.exx with the command parameter containing dumpConfigFile() to read sensitive files including /etc/shadow and configuration files without proper authorization.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/14/2026
The vulnerability identified as CVE-2019-25472 affects IntelBras Telefone IP TIP200 and 200 LITE devices, representing a critical security flaw in network communication infrastructure. These IP telephone devices are commonly deployed in enterprise and business environments for voice communication services, making their security implications particularly severe. The vulnerability resides within the web server component of these devices, specifically in the cgiServer.exx endpoint that handles various administrative functions. This flaw demonstrates a fundamental lack of access control mechanisms that should normally prevent unauthorized users from accessing sensitive system information.
The technical implementation of this vulnerability stems from improper input validation within the dumpConfigFile function, which is exposed through the cgiServer.exx endpoint without authentication requirements. When attackers send GET requests to the specific endpoint with the command parameter set to dumpConfigFile(), the system processes this request without verifying the legitimacy of the requester. This design flaw allows for arbitrary file reading capabilities that extend far beyond normal operational requirements. The vulnerability is classified under CWE-22 as "Improper Limitation of a Pathname to a Restricted Directory" and additionally relates to CWE-287 which addresses "Improper Authentication." The attack vector is particularly concerning because it requires no prior authentication credentials, making it accessible to any attacker who can reach the device's network interface.
The operational impact of this vulnerability is severe and multifaceted across multiple security domains. Attackers can directly access critical system files such as /etc/shadow, which contains hashed password information for system users, potentially enabling credential compromise and lateral movement within the network. Additionally, configuration files that contain sensitive operational data, network settings, and device parameters become accessible to unauthorized parties. This exposure can lead to comprehensive system reconnaissance, allowing attackers to map network topology, identify other vulnerable devices, and plan further attacks. The vulnerability creates a persistent backdoor that can be exploited repeatedly without detection, making it particularly dangerous in environments where these devices operate continuously.
Mitigation strategies for this vulnerability should focus on immediate network segmentation and access control implementation. Organizations must ensure that these devices are not directly accessible from untrusted networks and should be placed within secure network segments with appropriate firewall rules. The most effective immediate solution involves disabling unnecessary web services or implementing proper authentication mechanisms at the device level. Network administrators should also consider implementing intrusion detection systems that monitor for requests to the specific cgiServer.exx endpoint and related patterns. According to ATT&CK framework tactic TA0006 (Credential Access) and technique T1003 (OS Credential Dumping), this vulnerability directly enables credential theft through file system access. Regular security audits and firmware updates should be implemented to address the root cause, as the vulnerability exists in the device's firmware implementation and requires official patches from the vendor to resolve completely.