CVE-2019-25381 – This vulnerability allows attackers to inject m... (How to Fix)

Q: What is the severity of CVE-2019-25381?

CVE-2019-25381 has a CVSS score of 6.1 (MEDIUM). This vulnerability allows attackers to inject malicious JavaScript into Smoothwall Express web interface pages through unvalidated parameters in the hosts.cgi script. When users view the affected pages, the injected scripts execute in their browsers, potentially stealing session cookies or performing actions on their behalf. Organizations running Smoothwall Express 3.1-SP4-polar-x86_64-update9 are affected.

📋 TL;DR

This vulnerability allows attackers to inject malicious JavaScript into Smoothwall Express web interface pages through unvalidated parameters in the hosts.cgi script. When users view the affected pages, the injected scripts execute in their browsers, potentially stealing session cookies or performing actions on their behalf. Organizations running Smoothwall Express 3.1-SP4-polar-x86_64-update9 are affected.

💻 Affected Systems

Products:

Smoothwall Express

Versions: 3.1-SP4-polar-x86_64-update9

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the web management interface; requires attackers to trick users into visiting malicious URLs.

📦 What is this software?

Smoothwall Express by Smoothwall

View all CVEs affecting Smoothwall Express →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full administrative access to the Smoothwall firewall, reconfigure firewall rules, intercept network traffic, or deploy malware to internal systems.

🟠

Likely Case

Attackers steal user session cookies to hijack authenticated sessions, perform unauthorized actions, or redirect users to malicious sites.

🟢

If Mitigated

Limited to session hijacking of users who click malicious links, with minimal impact if proper input validation and output encoding are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available on Exploit-DB; exploitation requires user interaction (clicking malicious link).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update10 or later

Vendor Advisory: http://www.smoothwall.org

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download and install Smoothwall Express 3.1-SP4-polar-x86_64-update10 or later from smoothwall.org. 3. Restart the Smoothwall system. 4. Verify the fix by checking the version.

🔧 Temporary Workarounds

Input Validation Filter

linux

Add input validation to hosts.cgi script to sanitize IP, HOSTNAME, and COMMENT parameters

sed -i 's/param_name/escaped_param_name/g' /path/to/hosts.cgi

Web Application Firewall

all

Deploy WAF rules to block XSS payloads in POST requests to hosts.cgi

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to block inline script execution
Restrict access to Smoothwall web interface to trusted IP addresses only

🔍 How to Verify

Check if Vulnerable:

Test by submitting POST request to /cgi-bin/hosts.cgi with <script>alert('XSS')</script> in IP parameter and check if script executes

Check Version:

cat /var/smoothwall/main/version

Verify Fix Applied:

After patching, repeat the test; script should be properly encoded and not execute

📡 Detection & Monitoring

Log Indicators:

POST requests to /cgi-bin/hosts.cgi containing script tags or JavaScript in parameters
Unusual parameter values in web access logs

Network Indicators:

HTTP POST requests to hosts.cgi with suspicious parameter values
Outbound connections to unknown domains after visiting management interface

SIEM Query:

source="web_access.log" AND uri="/cgi-bin/hosts.cgi" AND (param="<script>" OR param="javascript:")

📊 Metadata

CVE ID: CVE-2019-25381

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: February 16, 2026

Last Updated: February 20, 2026

🔗 References

http://www.smoothwall.org Product
https://www.exploit-db.com/exploits/46333 Exploit,Third Party Advisory,VDB Entry
https://www.vulncheck.com/advisories/smoothwall-express-hostscgi-cross-site-scripting Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25381, you might also want to check these: