CVE-2019-25400 – This vulnerability allows attackers to execute ... (How to Fix)

Q: What is the severity of CVE-2019-25400?

CVE-2019-25400 has a CVSS score of 5.4 (MEDIUM). This vulnerability allows attackers to execute reflected cross-site scripting (XSS) attacks against IPFire firewall administrators. By injecting malicious JavaScript into multiple parameters of the fwhosts.cgi script, attackers can execute arbitrary code in authenticated users' browsers. This affects IPFire administrators who access the web interface.

📋 TL;DR

This vulnerability allows attackers to execute reflected cross-site scripting (XSS) attacks against IPFire firewall administrators. By injecting malicious JavaScript into multiple parameters of the fwhosts.cgi script, attackers can execute arbitrary code in authenticated users' browsers. This affects IPFire administrators who access the web interface.

💻 Affected Systems

Products:

IPFire

Versions: IPFire 2.21 Core Update 127

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with the web interface accessible and with authenticated users.

📦 What is this software?

Ipfire by Ipfire

View all CVEs affecting Ipfire →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as the administrator (including firewall rule changes), or redirect to malicious sites.

🟠

Likely Case

Session hijacking leading to unauthorized access to the firewall administration interface.

🟢

If Mitigated

Limited impact if administrators use separate accounts with least privilege and browsers have XSS protection enabled.

🌐 Internet-Facing: MEDIUM - The web interface is typically not exposed to the internet, but if misconfigured, could be exploited remotely.

🏢 Internal Only: HIGH - Attackers on the internal network can exploit this to compromise firewall administration.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to trick an authenticated user into clicking a malicious link. Public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: IPFire 2.21 Core Update 128 or later

Vendor Advisory: https://www.ipfire.org/news

Restart Required: No

Instructions:

1. Log into IPFire web interface as admin. 2. Navigate to System > Updates. 3. Apply all available updates. 4. Verify version is 2.21 Core Update 128 or newer.

🔧 Temporary Workarounds

Input Validation via ModSecurity

linux

Implement ModSecurity rules to block XSS payloads in the affected parameters

# Add to ModSecurity rules: SecRule ARGS "@detectXSS" "id:1001,phase:2,deny,status:403,msg:'XSS Attack Detected'"

Restrict Web Interface Access

all

Limit access to the IPFire web interface to trusted IP addresses only

# In IPFire firewall rules, restrict port 444 (HTTPS) to admin networks only

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources
Use browser extensions that provide XSS protection for administrators

🔍 How to Verify

Check if Vulnerable:

Check if version is 2.21 Core Update 127 via web interface System > Status or command: cat /etc/ipfire-release

Check Version:

cat /etc/ipfire-release

Verify Fix Applied:

Verify version is 2.21 Core Update 128 or newer and test XSS payloads in fwhosts.cgi parameters return sanitized output

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /cgi-bin/fwhosts.cgi with script tags or JavaScript in parameters
Multiple failed login attempts followed by XSS payload requests

Network Indicators:

HTTP requests containing <script>, javascript:, or other XSS payloads in URL parameters

SIEM Query:

source="ipfire_web.log" AND uri="/cgi-bin/fwhosts.cgi" AND (param="HOSTNAME" OR param="IP" OR param="SUBNET") AND (value="*<script>*" OR value="*javascript:*")

📊 Metadata

CVE ID: CVE-2019-25400

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: February 18, 2026

Last Updated: February 26, 2026

🔗 References

https://downloads.ipfire.org/releases/ipfire-2.x/2.21-core127/ipfire-2.21.x86_64-full-core127.iso Product
https://www.exploit-db.com/exploits/46344 Exploit,Third Party Advisory,VDB Entry
https://www.ipfire.org Product
https://www.vulncheck.com/advisories/ipfire-core-update-multiple-xss-via-fwhostscgi Broken Link,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25400, you might also want to check these: