CVE-2019-25254
CSRF in KYOCERA Net Admin Allows Unauthorized Admin Account Creation
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kyocera | net_admin | 3.4.0906 |
| apache | tomcat | 8.5.15 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25254 is a Cross-Site Request Forgery (CSRF) vulnerability in KYOCERA Net Admin version 3.4.0906. It allows attackers to create administrative users without proper request validation by exploiting the web interface. If a logged-in user visits a malicious website, the attacker can automatically submit crafted HTTP requests that add new admin accounts with predefined credentials, bypassing security checks. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to gain unauthorized administrative access to the KYOCERA Net Admin system. By creating new admin accounts without proper validation, attackers can control device management functions, potentially leading to unauthorized configuration changes, security breaches, and loss of control over managed devices. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized HTTP POST requests to the addUser.faces endpoint of KYOCERA Net Admin 3.4.0906, especially those that attempt to add new administrative users with preset credentials such as username "backdoor" and password "pass123". Network intrusion detection systems (NIDS) can be configured to alert on such suspicious POST requests. Additionally, reviewing web server logs for unexpected POST requests to addUser.faces or GET requests to EventControllerServlet related to node configuration updates may help detect exploitation attempts. Since the exploit involves CSRF, checking for unusual administrative user creation events in the application logs is also recommended. Specific commands depend on your environment, but for example, on a Linux system with access to web server logs, you could use: `grep 'addUser.faces' /var/log/apache2/access.log` or `grep 'EventControllerServlet' /var/log/apache2/access.log` to identify suspicious requests. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the KYOCERA Net Admin web interface to trusted networks and users only, implementing CSRF protection mechanisms such as anti-CSRF tokens in the web application, and monitoring for unauthorized administrative user creation. If possible, update or patch the software to a version that addresses this vulnerability. As a temporary workaround, disable or restrict the addUser.faces endpoint or administrative user creation functionality until a fix is applied. Additionally, educate users to avoid visiting untrusted websites while logged into the KYOCERA Net Admin interface to reduce the risk of CSRF exploitation. [1, 2]