CVE-2019-25351

HIGH

Centova Cast 3.2.11 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25351. PoCs published by DroidU.

AI-analyzed exploit summary This script exploits an arbitrary file download vulnerability in Centova Cast <=v3.2.11 by leveraging the API to copy sensitive files to an FTP server, then downloading them. It demonstrates the vulnerability by fetching /etc/passwd.

Description

Centova Cast 3.2.11 contains a file download vulnerability that allows authenticated attackers to retrieve arbitrary system files through the server.copyfile API endpoint. Attackers can exploit the vulnerability by supplying crafted parameters to download sensitive files like /etc/passwd using curl and wget requests.

Exploits (1)

exploitdb WORKING POC
by DroidU · bashwebappshardware
https://www.exploit-db.com/exploits/47669

This script exploits an arbitrary file download vulnerability in Centova Cast <=v3.2.11 by leveraging the API to copy sensitive files to an FTP server, then downloading them. It demonstrates the vulnerability by fetching /etc/passwd.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Centova Cast <=v3.2.11
Auth required
Prerequisites: valid Centova Cast credentials · FTP server access
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/47669
Various Sources product
https://centova.com

Scores

CVSS v3 8.8
EPSS 0.0028
EPSS Percentile 19.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Published Feb 18, 2026
Tracked Since Feb 19, 2026