CVE-2019-25239
Unknown Unknown - Not Provided
Unauthenticated Information Disclosure in V-SOL GPON/EPON OLT Platform

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: VulnCheck

Description
V-SOL GPON/EPON OLT Platform 2.03 contains an unauthenticated information disclosure vulnerability that allows attackers to download configuration files via direct object reference. Attackers can retrieve sensitive configuration data by sending HTTP GET requests to the usrcfg.conf endpoint, potentially enabling authentication bypass and system access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-06-16
AI Q&A
2025-12-24
EPSS Evaluated
2026-06-14
NVD
CVE-2019-25239
EUVD
EUVD-2025-205324
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
v-sol gpon_epon_olt_platform 2.03
v-sol gpon_epon_olt_platform *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-552 The product makes files or directories accessible to unauthorized actors, even though they should not be.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in V-SOL GPON/EPON OLT Platform version 2.03 allows unauthenticated attackers to download the device's configuration file (usrcfg.conf) by sending a direct HTTP GET request exploiting an insecure direct object reference (IDOR). This leads to exposure of sensitive system information and enables attackers to bypass authentication, escalate privileges, and potentially fully compromise the system. [1, 2]

Impact Analysis

Exploitation of this vulnerability can lead to disclosure of sensitive configuration data, which may allow attackers to bypass authentication mechanisms, escalate privileges, and potentially take full control of the affected device. This can compromise the security and operation of broadband access networks relying on these devices. [1, 2]

Detection Guidance

This vulnerability can be detected by sending unauthenticated HTTP GET requests to the vulnerable device targeting the configuration file endpoints. Example commands to test for the vulnerability include: curl http://[device_ip]/device/usrcfg.conf curl http://[device_ip]/action/usrcfg.conf If the configuration file is returned without authentication, the device is vulnerable. [2]

Mitigation Strategies

Immediate steps to mitigate this vulnerability include restricting access to the device's web management interface to trusted networks only, implementing network-level access controls such as firewalls or VPNs to limit exposure, and monitoring for unauthorized access attempts. Additionally, applying any available vendor patches or updates that address this vulnerability is critical. If patches are not available, consider disabling or restricting access to the vulnerable endpoint (usrcfg.conf) if possible. Regularly audit device configurations and logs for suspicious activity related to configuration file downloads. [1, 2]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25239. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart