CVE-2019-13025 – CVE-2019-13025 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2019-13025?

CVE-2019-13025 has a CVSS score of 9.8 (CRITICAL). CVE-2019-13025 is a critical remote code execution vulnerability in Compal CH7465LG cable modems. Attackers can send specially crafted HTTP POST requests to execute arbitrary shell commands on the device. This affects users of Compal CH7465LG devices with vulnerable firmware.

📋 TL;DR

CVE-2019-13025 is a critical remote code execution vulnerability in Compal CH7465LG cable modems. Attackers can send specially crafted HTTP POST requests to execute arbitrary shell commands on the device. This affects users of Compal CH7465LG devices with vulnerable firmware.

💻 Affected Systems

Products:

Compal CH7465LG cable modem

Versions: CH7465LG-NCIP-6.12.18.24-5p8-NOSH and likely earlier versions

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Connect Box variant of the CH7465LG modem. The vulnerable API endpoint is accessible without authentication.

📦 What is this software?

Ch7465lg Firmware by Compal

View all CVEs affecting Ch7465lg Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise allowing attacker to install persistent backdoors, intercept/modify network traffic, pivot to internal networks, or brick the device.

🟠

Likely Case

Attackers gain shell access to execute commands, potentially stealing credentials, modifying DNS settings, or launching attacks against internal network devices.

🟢

If Mitigated

With proper network segmentation and access controls, impact limited to the cable modem itself without lateral movement.

🌐 Internet-Facing: HIGH - Cable modems are directly internet-facing devices accessible from the WAN side.

🏢 Internal Only: MEDIUM - Attackers on the LAN side could also exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires sending a single HTTP POST request with shell commands in the payload. No authentication or special privileges needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware versions after CH7465LG-NCIP-6.12.18.24-5p8-NOSH

Vendor Advisory: No public vendor advisory found

Restart Required: Yes

Instructions:

1. Check current firmware version via modem web interface. 2. Contact ISP for firmware updates. 3. Apply firmware update through web interface. 4. Reboot modem after update.

🔧 Temporary Workarounds

Network segmentation

all

Isolate cable modem from internal network using separate VLAN or firewall rules

Access control restrictions

linux

Block external access to modem management interface using firewall rules

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Replace vulnerable modem with different model from ISP
Implement strict network monitoring for suspicious HTTP requests to modem IP

🔍 How to Verify

Check if Vulnerable:

Check firmware version in modem web interface at http://192.168.0.1 or modem IP. If version is CH7465LG-NCIP-6.12.18.24-5p8-NOSH or earlier, device is vulnerable.

Check Version:

curl -s http://192.168.0.1/version or check web interface

Verify Fix Applied:

Verify firmware version has been updated to a newer version than CH7465LG-NCIP-6.12.18.24-5p8-NOSH.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to modem management interface
Shell command execution in system logs
Unexpected process creation

Network Indicators:

HTTP POST requests containing shell metacharacters to modem IP
Outbound connections from modem to suspicious IPs

SIEM Query:

source="modem.log" AND ("POST" AND (";" OR "|" OR "$" OR "`"))

📊 Metadata

CVE ID: CVE-2019-13025

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: October 2, 2019

Last Updated: November 21, 2024

🔗 References

https://xitan.me/posts/connect-box-ch7465lg-rce/ Exploit,Third Party Advisory
https://xitan.me/posts/connect-box-ch7465lg-rce/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-13025, you might also want to check these: