CVE-2019-25249

CRITICAL

devolo dLAN 500 AV Wireless+ <3.1.0-1 - Auth Bypass

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25249. PoCs published by sm.

AI-analyzed exploit summary This exploit demonstrates a remote code execution vulnerability in devolo dLAN 550 duo+ devices by enabling hidden services (telnet and remote shell) via unsanitized configuration parameters in the htmlmgr CGI script. An attacker can authenticate, modify these parameters, reboot the device, and gain root access via telnet without a password.

Description

devolo dLAN 500 AV Wireless+ 3.1.0-1 contains an authentication bypass vulnerability that allows attackers to enable hidden services through the htmlmgr CGI script. Attackers can enable telnet and remote shell services, reboot the device, and gain root access without a password by manipulating system configuration parameters.

Exploits (1)

exploitdb WORKING POC

by sm · textwebappshardware

https://www.exploit-db.com/exploits/46325

View Code ZIP pw:eip

This exploit demonstrates a remote code execution vulnerability in devolo dLAN 550 duo+ devices by enabling hidden services (telnet and remote shell) via unsanitized configuration parameters in the htmlmgr CGI script. An attacker can authenticate, modify these parameters, reboot the device, and gain root access via telnet without a password.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: devolo dLAN 500 AV Wireless+ 3.1.0-1 (i386)

Auth required

Prerequisites: Authenticated access to the web interface · Network access to the device

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/46325

Various Sources product

https://www.devolo.com

Third Party Advisory third-party-advisory

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5508.php

Scores

CVSS v3 9.8

EPSS 0.0037

EPSS Percentile 29.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-266

Status published

Products (1)

devolo AG/dLAN 550 duo+ Starter Kit 500 AV Wireless+ 3.1.0-1

Published Dec 24, 2025

Tracked Since Feb 18, 2026