CVE-2019-25252
CSRF Vulnerability in Teradek VidiU Pro Allows Admin Password Change
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| teradek | vidiu_pro | 3.0.3 |
| teradek | vidiu_pro | 3.0.2 |
| teradek | vidiu_pro | 2.4.10 |
| lighttpd | lighttpd | 1.4.48 |
| lighttpd | lighttpd | 1.4.31 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) in Teradek VidiU Pro version 3.0.3 and some earlier versions. It allows an attacker to change the device's administrative password without proper authorization by exploiting the device's web interface, which does not validate the legitimacy of HTTP requests. If a logged-in administrator visits a malicious website, that site can automatically submit a password change request to the device, effectively allowing the attacker to take control without the administrator's consent. [1, 2]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized administrative control over the Teradek VidiU Pro device. An attacker can change the administrator password without permission, potentially locking out legitimate users and gaining full control of the device. This can disrupt live video streaming operations and compromise the security and integrity of the device's management. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to the device's web interface, specifically looking for unauthorized or suspicious POST requests to the password change endpoint `/cgi-bin/password.cgi`. You can use network traffic analysis tools like Wireshark or tcpdump to capture HTTP traffic and filter for requests to this endpoint. Additionally, checking web server logs for unexpected POST requests to `/cgi-bin/password.cgi` with parameters changing the admin password can help detect exploitation attempts. For example, using a command like `grep '/cgi-bin/password.cgi' /var/log/lighttpd/access.log` on the device or proxy logs may reveal such attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the device's web interface to trusted networks or IP addresses, implementing network-level controls such as firewalls to block unauthorized access, and educating users to avoid visiting untrusted or malicious websites while logged into the device. Since the vulnerability arises from lack of request validation, disabling or limiting the web interface if possible until a patch is available is recommended. Monitoring for suspicious activity and changing administrative passwords manually can also help reduce risk. Applying any available firmware updates or patches from the vendor should be done as soon as they are released. [1, 2]