CVE-2019-7666

HIGH

Prima Systems FlexAir <2.3.38 - Auth Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-7666. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit bypasses authentication in FlexAir Access Control 2.3.35 by fetching a predictably named database backup file containing user credentials. It brute-forces dates to locate the backup and extracts hashed passwords for further attacks.

Description

Prima Systems FlexAir, Versions 2.3.38 and prior. The application allows improper authentication using the MD5 hash value of the password, which may allow an attacker with access to the database to login as admin without decrypting the password.

Exploits (1)

exploitdb WORKING POC
by LiquidWorm · pythonwebappshardware
https://www.exploit-db.com/exploits/47644

This exploit bypasses authentication in FlexAir Access Control 2.3.35 by fetching a predictably named database backup file containing user credentials. It brute-forces dates to locate the backup and extracts hashed passwords for further attacks.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: FlexAir Access Control 2.3.35
No auth needed
Prerequisites: Network access to the target · Predictable backup file naming convention
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory x_refsource_misc
https://applied-risk.com/labs/advisories
Third Party Advisory x_refsource_misc
https://www.applied-risk.com/resources/ar-2019-007
Third Party Advisory, US Government Resource x_refsource_misc
https://www.us-cert.gov/ics/advisories/icsa-19-211-02

Scores

CVSS v3 8.8
EPSS 0.1482
EPSS Percentile 96.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-287
Status published
Products (1)
primasystems/flexair < 2.3.38
Published Jul 01, 2019
Tracked Since Feb 18, 2026