CVE-2019-25235
Unknown Unknown - Not Provided
Authentication Bypass in Smartwares HOME easy 1.0.9 Enables Admin Access

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: VulnCheck

Description
Smartwares HOME easy 1.0.9 contains an authentication bypass vulnerability that allows unauthenticated attackers to access administrative web pages by disabling JavaScript. Attackers can navigate to multiple administrative endpoints and to bypass client-side validation and access sensitive system information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-06-16
AI Q&A
2025-12-24
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25235
EUVD
EUVD-2025-205325
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
smartwares home_easy 1.0.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2019-25235 is a client-side authentication bypass vulnerability in Smartwares HOME easy version 1.0.9 and earlier. It allows unauthenticated attackers to access multiple administrative web pages by disabling JavaScript in their browser, which bypasses client-side validation and authentication controls. Attackers can navigate to various administrative endpoints and access sensitive system information, including an SQLite3 database file and its location. This is due to insecure direct object references (IDOR) and the reliance on client-side controls for authentication. [2, 3]

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to bypass authentication and gain access to administrative web pages of the Smartwares HOME easy system. This can lead to disclosure of sensitive system information, including database files, and potentially allow attackers to manipulate or control home electrical equipment remotely. The security bypass risks are rated moderately serious (3 out of 5), and the vulnerability affects both local and remote users. [2, 3]

Detection Guidance

This vulnerability can be detected by attempting to access the administrative web pages of Smartwares HOME easy 1.0.9 without authentication, especially by disabling JavaScript in the browser and navigating to known vulnerable endpoints such as /web-en/task.html, /web-en/action_task.html, /web-en/plan_task.html, /web-en/room.html, /web-en/room_set.html, /web-en/room_set2.html, /web-en/scene.html, /web-en/scene_set.html, /web-en/scene_set2.html, and /web-en/system.html. You can use tools like curl or wget to send HTTP requests to these endpoints and check if access is granted without authentication. Example commands: curl -I http://<target-ip>/web-en/task.html curl -I http://<target-ip>/web-en/system.html If these pages respond with HTTP 200 OK without authentication, the system is vulnerable. [2, 3]

Mitigation Strategies

Immediate mitigation steps include restricting access to the administrative web pages by implementing proper server-side authentication and authorization controls, rather than relying on client-side JavaScript validation. Additionally, disable or restrict remote access to the affected device's web interface until a patch or update is available from the vendor. Monitoring and blocking attempts to access the known vulnerable endpoints can also help reduce risk. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25235. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart