CVE-2019-25389

MEDIUM

Smoothwall Express 3.1-SP4-polar-x86_64-update9 - Unauthenticated Reflected Cross-Site Scripting via MACHINES Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25389. PoCs published by Ozer Goker.

AI-analyzed exploit summary This exploit demonstrates multiple stored and reflected XSS vulnerabilities in Smoothwall Express 3.1-SP4-polar-x86_64-update9. The payloads are simple JavaScript alerts injected into various parameters of CGI scripts.

Description

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the MACHINES parameter. Attackers can craft requests to the timedaccess.cgi endpoint with script payloads in the MACHINES parameter to execute arbitrary JavaScript in users' browsers.

Exploits (1)

exploitdb WORKING POC

by Ozer Goker · textwebappscgi

https://www.exploit-db.com/exploits/46333

View Code ZIP pw:eip

This exploit demonstrates multiple stored and reflected XSS vulnerabilities in Smoothwall Express 3.1-SP4-polar-x86_64-update9. The payloads are simple JavaScript alerts injected into various parameters of CGI scripts.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Smoothwall Express 3.1-SP4-polar-x86_64-update9

No auth needed

Prerequisites: Access to the web interface of the target Smoothwall Express instance

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/46333

Various Sources product

http://www.smoothwall.org

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/smoothwall-express-timedaccesscgi-cross-site-scrip

Scores

CVSS v3 6.1

EPSS 0.0024

EPSS Percentile 15.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

smoothwall/smoothwall_express 3.1 sp4

Published Feb 16, 2026

Tracked Since Feb 18, 2026