CVE-2019-25394 – This stored XSS vulnerability in Smoothwall Exp... (How to Fix)

Q: What is the severity of CVE-2019-25394?

CVE-2019-25394 has a CVSS score of 7.2 (HIGH). This stored XSS vulnerability in Smoothwall Express allows attackers to inject malicious JavaScript through modem.cgi POST parameters. When users access affected pages, the stored scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. Systems running Smoothwall Express 3.1-SP4-polar-x86_64-update9 are affected.

📋 TL;DR

This stored XSS vulnerability in Smoothwall Express allows attackers to inject malicious JavaScript through modem.cgi POST parameters. When users access affected pages, the stored scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. Systems running Smoothwall Express 3.1-SP4-polar-x86_64-update9 are affected.

💻 Affected Systems

Products:

Smoothwall Express

Versions: 3.1-SP4-polar-x86_64-update9

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with modem.cgi accessible and configured. The vulnerability requires attacker access to submit POST requests to the vulnerable endpoint.

📦 What is this software?

Smoothwall Express by Smoothwall

View all CVEs affecting Smoothwall Express →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, hijack sessions, redirect users to malicious sites, or perform actions as authenticated users, potentially leading to full system compromise.

🟠

Likely Case

Attackers would steal session cookies or credentials from users accessing the modem.cgi interface, enabling unauthorized access to the Smoothwall management interface.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires ability to submit POST requests to modem.cgi. Public exploit code exists in Exploit-DB (46333).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update10 or later

Vendor Advisory: http://www.smoothwall.org

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download and apply Update10 from Smoothwall repository. 3. Restart Smoothwall services. 4. Verify modem.cgi no longer accepts unencoded script tags in POST parameters.

🔧 Temporary Workarounds

Input Validation Filter

linux

Add input validation to reject script tags and JavaScript in POST parameters

Modify /usr/lib/smoothwall/modem.cgi to sanitize INIT, HANGUP, SPEAKER_ON, SPEAKER_OFF, TONE_DIAL, and PULSE_DIAL parameters

Access Restriction

linux

Restrict access to modem.cgi to trusted IP addresses only

iptables -A INPUT -p tcp --dport 81 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 81 -j DROP

🧯 If You Can't Patch

Implement WAF rules to block POST requests containing JavaScript patterns to modem.cgi
Disable modem.cgi functionality if not required by removing execute permissions: chmod -x /usr/lib/smoothwall/modem.cgi

🔍 How to Verify

Check if Vulnerable:

Test by submitting POST request to modem.cgi with parameter INIT=<script>alert('XSS')</script> and check if script executes when page loads

Check Version:

cat /var/smoothwall/main/version

Verify Fix Applied:

Attempt same XSS payload and verify it's properly encoded/escaped in output

📡 Detection & Monitoring

Log Indicators:

POST requests to /cgi-bin/modem.cgi containing script tags or JavaScript patterns in parameters
Unusual parameter values in modem.cgi access logs

Network Indicators:

HTTP POST requests to modem.cgi with encoded script payloads
Outbound connections from Smoothwall to unexpected domains following modem.cgi access

SIEM Query:

source="smoothwall" AND uri="/cgi-bin/modem.cgi" AND (method="POST") AND (param="INIT" OR param="HANGUP" OR param="SPEAKER_ON" OR param="SPEAKER_OFF" OR param="TONE_DIAL" OR param="PULSE_DIAL")

📊 Metadata

CVE ID: CVE-2019-25394

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: February 16, 2026

Last Updated: February 20, 2026

🔗 References

http://www.smoothwall.org Product
https://www.exploit-db.com/exploits/46333 Exploit,Third Party Advisory,VDB Entry
https://www.vulncheck.com/advisories/smoothwall-express-modemcgi-cross-site-scripting Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25394, you might also want to check these: