CVE-2019-20085

HIGH KEV NUCLEI

TVT NVMS-1000 Firmware - Path Traversal via GET Request

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-20085 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 7 public exploits from researchers including Mohin Paramasivam, numan türle, AleDiBen, including a Metasploit module auxiliary/scanner/http/tvt_nvms_traversal. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a directory traversal vulnerability in TVT NVMS 1000, allowing unauthorized file access via path traversal sequences. It fetches arbitrary files from the server and saves them locally.

Description

TVT NVMS-1000 devices allow GET /.. Directory Traversal

Exploits (7)

exploitdb WORKING POC
by Mohin Paramasivam · pythonwebappshardware
https://www.exploit-db.com/exploits/48311

This exploit demonstrates a directory traversal vulnerability in TVT NVMS 1000, allowing unauthorized file access via path traversal sequences. It fetches arbitrary files from the server and saves them locally.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: TVT NVMS 1000
No auth needed
Prerequisites: Network access to the target server · Knowledge of file paths on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by numan türle · textwebappshardware
https://www.exploit-db.com/exploits/47774

This exploit demonstrates a directory traversal vulnerability in NVMS-1000, allowing unauthorized access to files outside the web root directory. The PoC retrieves the contents of the 'win.ini' file by manipulating the URL path.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: NVMS-1000
No auth needed
Prerequisites: Network access to the vulnerable NVMS-1000 server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 6 stars
by AleDiBen · infoleak
https://github.com/AleDiBen/NVMS1000-Exploit

This Python script exploits a directory traversal vulnerability (CVE-2019-20085) in NVMS 1000 by sending a crafted HTTP GET request with a traversal payload to read arbitrary files from the target system. It includes functionality to save the retrieved file content locally.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: NVMS 1000
No auth needed
Prerequisites: Network access to the target NVMS 1000 server
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by Z3R0space · poc
https://github.com/Z3R0space/CVE-2019-20085

The repository contains a functional Python exploit for CVE-2019-20085, a directory traversal vulnerability in TVT NVMS-1000. The exploit sends a crafted GET request with traversal sequences to read arbitrary files from the target system.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: TVT NVMS-1000 (all versions prior to patch)
No auth needed
Prerequisites: Python 3.x · requests module
devstral-2 · analyzed Feb 25, 2026 Full analysis →
nomisec WORKING POC
by Z3R0-0x30 · infoleak
https://github.com/Z3R0-0x30/CVE-2019-20085

The repository contains a functional Python exploit for CVE-2019-20085, a directory traversal vulnerability in TVT NVMS-1000. The exploit sends a crafted GET request to read arbitrary files on the target system without authentication.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: TVT NVMS-1000 (all versions prior to patch)
No auth needed
Prerequisites: Python 3.x · requests module · network access to target
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by 0hmsec · infoleak
https://github.com/0hmsec/NVMS-1000-Directory-Traversal-Bash

This repository contains a functional Bash script that exploits a directory traversal vulnerability (CVE-2019-20085) in NVMS-1000. The script constructs a malicious URL with traversal sequences and uses curl to fetch arbitrary files from the target system.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: NVMS-1000
No auth needed
Prerequisites: Target URL must be accessible · Target file must exist on the system
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC
by Numan Türle, Dhiraj Mishra · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/tvt_nvms_traversal.rb

This Metasploit module exploits an unauthenticated directory traversal vulnerability in TVT NVMS-1000 by sending a crafted HTTP GET request with traversal sequences to read arbitrary files from the server.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: TVT NVMS-1000 version 3.4.1
No auth needed
Prerequisites: Network access to the target on port 80
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

TVT NVMS 1000 - Local File Inclusion
HIGHby daffainfo

References (3)

Core 3
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/47774
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/157196/TVT-NVMS-1000-Directory-Traversal.html

Scores

CVSS v3 7.5
EPSS 0.9426
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact partial

Details

CISA KEV 2021-11-03
VulnCheck KEV 2021-11-03
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2019-10641
CWE
CWE-22
Status published
Products (1)
tvt/nvms-1000_firmware
Published Dec 30, 2019
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026