Sign-up

ID

VAR-201902-1020


CVE

CVE-2019-25249


TITLE

devolo dLAN 550 duo+ Starter Kit Remote Code Execution

Trust: 0.1

sources: ZSL: ZSL-2019-5508

DESCRIPTION

devolo dLAN 500 AV Wireless+ 3.1.0-1 contains an authentication bypass vulnerability that allows attackers to enable hidden services through the htmlmgr CGI script. Attackers can enable telnet and remote shell services, reboot the device, and gain root access without a password by manipulating system configuration parameters. Devolo dLAN® 550 duo+ Starter Kit is Powerlineadapter which isa cost-effective and helpful networking alternative for any locationwithout structured network wiring. Especially in buildings or residenceslacking network cables or where updating the wiring would be expensiveand complicated, Powerline adapters provide networking at high transmissionrates.The web application allows users to perform certain actions via HTTPrequests without performing any validity checks to verify the requests. Thedevolo web application uses predictable URL/form actions in a repeatable way.This can be exploited to perform certain actions with administrative privilegesif a logged-in user visits a malicious web site.Tested on: Linux 2.6.31

Trust: 1.08

sources: NVD: CVE-2019-25249 // ZSL: ZSL-2019-5508 // ZSL: ZSL-2019-5507

AFFECTED PRODUCTS

vendor:devolomodel:dlanscope:eqversion:dlan 500 av wireless+ 3.1.0-1 (i386)

Trust: 0.2

sources: ZSL: ZSL-2019-5508 // ZSL: ZSL-2019-5507

CVSS

SEVERITY

CVSSV2

CVSSV3

disclosure@vulncheck.com: CVE-2019-25249
value: HIGH

Trust: 1.0

ZSL: ZSL-2019-5508
value: (4/5)

Trust: 0.1

ZSL: ZSL-2019-5507
value: (3/5)

Trust: 0.1

disclosure@vulncheck.com: CVE-2019-25249
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: ZSL: ZSL-2019-5508 // ZSL: ZSL-2019-5507 // NVD: CVE-2019-25249

PROBLEMTYPE DATA

problemtype:CWE-266

Trust: 1.0

sources: NVD: CVE-2019-25249

TYPE

Remote/Local,System Access, DoS

Trust: 0.1

sources: ZSL: ZSL-2019-5508

EXPLOIT AVAILABILITY

sources:
            
            
            ZSL: ZSL-2019-5508 // 
            
            
            
            ZSL: ZSL-2019-5507

EXTERNAL IDS
db:ZSLid:ZSL-2019-5508
Trust: 1.2
db:EXPLOIT-DBid:46325
Trust: 1.1
db:NVDid:CVE-2019-25249
Trust: 1.0
db:ZSLid:ZSL-2019-5507
Trust: 0.2
db:CXSECURITYid:WLB-2019020038
Trust: 0.1
db:PACKETSTORMid:151527
Trust: 0.1
db:PACKETSTORMid:151526
Trust: 0.1
db:CXSECURITYid:WLB-2019020039
Trust: 0.1
db:EXPLOIT-DBid:46324
Trust: 0.1
sources:
            
            
            ZSL: ZSL-2019-5508 // 
            
            
            
            ZSL: ZSL-2019-5507 // 
            
            
            
            NVD: CVE-2019-25249

REFERENCES
url:https://www.exploit-db.com/exploits/46325
Trust: 1.1
url:https://www.zeroscience.mk/en/vulnerabilities/zsl-2019-5508.php
Trust: 1.1
url:https://www.devolo.com
Trust: 1.0
url:https://www.zeroscience.mk/en/vulnerabilities/zsl-2019-5507.php
Trust: 0.1
url:https://packetstormsecurity.com/files/151527
Trust: 0.1
url:https://cxsecurity.com/issue/wlb-2019020038
Trust: 0.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/156596
Trust: 0.1
url:https://www.exploit-db.com/exploits/46324
Trust: 0.1
url:https://packetstormsecurity.com/files/151526
Trust: 0.1
url:https://cxsecurity.com/issue/wlb-2019020039
Trust: 0.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/156595
Trust: 0.1
sources:
            
            
            ZSL: ZSL-2019-5508 // 
            
            
            
            ZSL: ZSL-2019-5507 // 
            
            
            
            NVD: CVE-2019-25249

CREDITS
Vulnerability discovered by Stefan Petrushevski
Trust: 0.2
sources:
            
            
            ZSL: ZSL-2019-5508 // 
            
            
            
            ZSL: ZSL-2019-5507

SOURCES
db:ZSLid:ZSL-2019-5508
db:ZSLid:ZSL-2019-5507
db:NVDid:CVE-2019-25249

LAST UPDATE DATE
2026-01-15T23:29:33.073000+00:00

SOURCES UPDATE DATE
db:ZSLid:ZSL-2019-5508date:2019-02-10T00:00:00
db:ZSLid:ZSL-2019-5507date:2019-02-10T00:00:00
db:NVDid:CVE-2019-25249date:2025-12-29T15:58:13.147

SOURCES RELEASE DATE
db:ZSLid:ZSL-2019-5508date:2019-02-03T00:00:00
db:ZSLid:ZSL-2019-5507date:2019-02-03T00:00:00
db:NVDid:CVE-2019-25249date:2025-12-24T20:15:53.247