CVE-2019-25250
Unknown Unknown - Not Provided
CSRF Vulnerability in Devolo dLAN 500 AV Wireless+ Allows Admin Takeover

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: VulnCheck

Description
Devolo dLAN 500 AV Wireless+ 3.1.0-1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages that trigger unauthorized configuration changes by exploiting predictable URL actions when a logged-in user visits the site.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-06-16
AI Q&A
2025-12-24
EPSS Evaluated
2026-06-14
NVD
CVE-2019-25250
EUVD
EUVD-2025-205309
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
devolo dlan_500_av_wireless 3.1.0-1
devolo dlan_500_av_wireless+ 3.1.0-1
devolo dlan_550_duo+ 3.1.0-1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the devolo dLAN 500 AV Wireless+ version 3.1.0-1 device. It allows attackers to perform administrative actions on the device without proper validation of the requests. The device's web interface uses predictable URLs and form actions but fails to properly check or validate CSRF tokens, making it possible for an attacker to craft malicious web pages that, when visited by a logged-in user, trigger unauthorized configuration changes on the device. [1, 2]

Impact Analysis

This vulnerability can allow an attacker to remotely change administrative settings on the affected device without the user's consent. For example, an attacker could enable the NTP client and set a malicious NTP server, potentially disrupting network operations or redirecting traffic. Since the attack requires a logged-in user to visit a malicious website, it can lead to unauthorized configuration changes that compromise the device's security and network functionality. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring HTTP POST requests to the device's web management interface, especially those targeting predictable URL and form actions without proper CSRF token validation. You can use tools like curl or wget to simulate POST requests to the device's CGI interface to check if administrative actions can be performed without valid CSRF tokens. For example, sending a POST request to enable the NTP client or change settings can indicate vulnerability. Network traffic analysis tools like Wireshark or tcpdump can also be used to inspect suspicious HTTP requests to the device. Specific commands might include: curl -X POST http://<device-ip>/cgi-bin/ntp.cgi -d 'ntp_enable=1&ntp_server=malicious.server' to test if the device accepts unauthorized configuration changes. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the device's web management interface to trusted networks or IP addresses, avoiding visiting untrusted websites while logged into the device's interface, and disabling remote web management if possible. Since the device does not properly validate CSRF tokens, users should ensure that firmware updates are applied if available, or consider isolating the device from exposure to potentially malicious web content. Additionally, monitoring and blocking suspicious HTTP POST requests targeting the device can help reduce exploitation risk. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25250. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart