CVE-2019-25590
Received Received - Intake
Denial of Service in Axessh 4.2 via Log Filename Buffer Overflow

Publication date: 2026-03-22

Last updated on: 2026-03-22

Assigner: VulnCheck

Description
Axessh 4.2 contains a denial of service vulnerability in the logging configuration that allows local attackers to crash the application by supplying an excessively long string in the log file name field. Attackers can enable session logging, paste a buffer of 500 or more characters into the log file name parameter, and trigger a crash when establishing a telnet connection.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-22
Last Modified
2026-03-22
Generated
2026-06-16
AI Q&A
2026-03-22
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25590
EUVD
EUVD-2019-19922
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
axessh axessh 4.2
axessh axessh to 4.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1282 Immutable data, such as a first-stage bootloader, device identifiers, and "write-once" configuration settings are stored in writable memory that can be re-programmed or updated in the field.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2019-25590 is a denial of service vulnerability in Axessh version 4.2 and earlier. It occurs due to a flaw in the logging configuration where local attackers can crash the application by supplying an excessively long string in the log file name field.

When session logging is enabled, an attacker can input a buffer of 500 or more characters into the log file name parameter, which triggers a crash during the establishment of a Telnet connection.

This vulnerability is classified under CWE-1282, involving assumed-immutable data being stored in writable memory.

Impact Analysis

This vulnerability can cause a denial of service by crashing the Axessh application when an attacker supplies an excessively long log file name string.

As a result, legitimate users may be unable to establish Telnet connections or use the affected service, leading to service disruption.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking if the Axessh application version 4.2 or earlier is running with session logging enabled.

To test for the vulnerability, an attacker or tester can attempt to establish a Telnet connection while supplying an excessively long string (500 or more characters) in the log file name parameter to see if the application crashes.

Since the vulnerability is triggered locally by providing a long string in the log file name, detection commands would involve interacting with the Axessh configuration or logs to verify if such long strings are accepted or cause crashes.

  • Check Axessh version: `axessh --version` or equivalent command to confirm version 4.2 or earlier.
  • Verify if session logging is enabled in the Axessh configuration files.
  • Attempt to establish a Telnet connection with a crafted log file name parameter containing 500+ characters to observe if the application crashes.
Mitigation Strategies

Immediate mitigation steps include disabling session logging in Axessh to prevent attackers from exploiting the log file name parameter.

Alternatively, restrict or sanitize the input length for the log file name parameter to prevent excessively long strings from being processed.

If possible, upgrade Axessh to a version later than 4.2 where this vulnerability is fixed.

Limit local user access to the system running Axessh to reduce the risk of local attackers exploiting this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25590. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart