CVE-2019-25465
Received Received - Intake
Directory Traversal in Hisilicon HiIpcam Exposes ADSL Credentials

Publication date: 2026-03-11

Last updated on: 2026-03-11

Assigner: VulnCheck

Description
Hisilicon HiIpcam V100R003 contains a directory traversal vulnerability that allows unauthenticated attackers to access sensitive configuration files by exploiting directory listing in the cgi-bin directory. Attackers can request the getadslattr.cgi endpoint to retrieve ADSL credentials and network configuration parameters including usernames, passwords, and DNS settings.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25465
EUVD
EUVD-2019-19736
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
hisilicon hiipcamm_v100r003 *
hisilicon hiipcamm v100r003
thttpd thttpd 2.25b
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-260 The product stores a password in a configuration file that might be accessible to actors who do not know the password.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2019-25465 is a directory traversal vulnerability found in Hisilicon HiIpcam V100R003 devices. It allows unauthenticated attackers to exploit directory listing in the cgi-bin directory to access sensitive configuration files.

Attackers can send requests to the getadslattr.cgi endpoint to retrieve critical network configuration parameters such as ADSL credentials, usernames, passwords, and DNS settings without needing any authentication.

The vulnerability arises due to insufficient input validation and lack of proper access controls on the CGI-bin interface, enabling unauthorized remote attackers to enumerate and read sensitive files.

Impact Analysis

This vulnerability can have serious security impacts as it allows attackers to remotely access sensitive device information without authentication.

  • Attackers can obtain ADSL credentials, including usernames and passwords.
  • Network configuration parameters such as DNS settings and IP addresses can be exposed.
  • Unauthorized access to these details can lead to further compromise of the device or network.
  • The vulnerability could be used as a stepping stone for more advanced attacks or unauthorized network access.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending HTTP GET requests to the /cgi-bin/ directory of the target device and checking for a directory listing response.'}, {'type': 'paragraph', 'content': 'Specifically, you can request the getadslattr.cgi endpoint or simply check if the response contains the string "<H2>Index of /cgi-bin/</H2>", which indicates that directory listing is enabled and the device is vulnerable.'}, {'type': 'paragraph', 'content': 'An example approach is to use tools like curl or wget to send requests and inspect responses.'}, {'type': 'list_item', 'content': 'curl -i http://<target-ip>/cgi-bin/ | grep "<H2>Index of /cgi-bin/</H2>"'}, {'type': 'list_item', 'content': 'curl http://<target-ip>/cgi-bin/getadslattr.cgi'}, {'type': 'paragraph', 'content': 'If the directory listing is accessible or the getadslattr.cgi returns sensitive configuration data such as ADSL credentials, usernames, passwords, or DNS settings, the device is vulnerable.'}] [1]

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25465. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart