CVE-2019-25250
CSRF Vulnerability in Devolo dLAN 500 AV Wireless+ Allows Admin Takeover
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devolo | dlan_500_av_wireless | 3.1.0-1 |
| devolo | dlan_500_av_wireless+ | 3.1.0-1 |
| devolo | dlan_550_duo+ | 3.1.0-1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the devolo dLAN 500 AV Wireless+ version 3.1.0-1 device. It allows attackers to perform administrative actions on the device without proper validation of the requests. The device's web interface uses predictable URLs and form actions but fails to properly check or validate CSRF tokens, making it possible for an attacker to craft malicious web pages that, when visited by a logged-in user, trigger unauthorized configuration changes on the device. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to remotely change administrative settings on the affected device without the user's consent. For example, an attacker could enable the NTP client and set a malicious NTP server, potentially disrupting network operations or redirecting traffic. Since the attack requires a logged-in user to visit a malicious website, it can lead to unauthorized configuration changes that compromise the device's security and network functionality. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP POST requests to the device's web management interface, especially those targeting predictable URL and form actions without proper CSRF token validation. You can use tools like curl or wget to simulate POST requests to the device's CGI interface to check if administrative actions can be performed without valid CSRF tokens. For example, sending a POST request to enable the NTP client or change settings can indicate vulnerability. Network traffic analysis tools like Wireshark or tcpdump can also be used to inspect suspicious HTTP requests to the device. Specific commands might include: curl -X POST http://<device-ip>/cgi-bin/ntp.cgi -d 'ntp_enable=1&ntp_server=malicious.server' to test if the device accepts unauthorized configuration changes. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the device's web management interface to trusted networks or IP addresses, avoiding visiting untrusted websites while logged into the device's interface, and disabling remote web management if possible. Since the device does not properly validate CSRF tokens, users should ensure that firmware updates are applied if available, or consider isolating the device from exposure to potentially malicious web content. Additionally, monitoring and blocking suspicious HTTP POST requests targeting the device can help reduce exploitation risk. [1, 2]