CVE-2019-25252

MEDIUM

Teradek VidiU Pro 3.0.3 - Cross-Site Request Forgery via Password Change Request

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25252. PoCs published by LiquidWorm.

AI-analyzed exploit summary This HTML file demonstrates a CSRF vulnerability in Teradek VidiU Pro 3.0.3, allowing an attacker to change the admin password by tricking an authenticated user into submitting a malicious form. The exploit targets the password.cgi endpoint without requiring additional authentication checks.

Description

Teradek VidiU Pro 3.0.3 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft malicious web pages that automatically submit password change requests to the device when a logged-in administrator visits the page.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · htmlwebappshardware

https://www.exploit-db.com/exploits/44671

View Code ZIP pw:eip

This HTML file demonstrates a CSRF vulnerability in Teradek VidiU Pro 3.0.3, allowing an attacker to change the admin password by tricking an authenticated user into submitting a malicious form. The exploit targets the password.cgi endpoint without requiring additional authentication checks.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Teradek VidiU Pro 3.0.3 (build 32136) and earlier versions

Auth required

Prerequisites: Victim must be authenticated as admin · Victim must visit the malicious HTML page

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

https://www.exploit-db.com/exploits/44671

Product product

https://www.teradek.com

Exploit, Third Party Advisory third-party-advisory

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5460.php

Scores

CVSS v3 4.3

EPSS 0.0016

EPSS Percentile 5.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (9)

teradek/vidiu_firmware 2.4.10

teradek/vidiu_firmware 3.0.2 build31225

teradek/vidiu_firmware 3.0.3 build32136

teradek/vidiu_mini_firmware 2.4.10

teradek/vidiu_mini_firmware 3.0.2 build31225

teradek/vidiu_mini_firmware 3.0.3 build32136

teradek/vidiu_pro_firmware 2.4.10

teradek/vidiu_pro_firmware 3.0.2 build31225

teradek/vidiu_pro_firmware 3.0.3 build32136

Published Dec 24, 2025

Tracked Since Feb 18, 2026