CVE-2019-25465
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform directory traversal attacks on Hisilicon HiIpcam V100R003 devices, exposing sensitive configuration files including ADSL credentials and network settings. Attackers can retrieve usernames, passwords, and DNS configurations without authentication. This affects all deployments of the vulnerable HiIpcam firmware version.
💻 Affected Systems
- Hisilicon HiIpcam
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full network access credentials, allowing them to compromise the entire network infrastructure, perform man-in-the-middle attacks, or pivot to other systems using stolen credentials.
Likely Case
Attackers steal ADSL credentials and network configuration, enabling unauthorized network access, credential reuse attacks, and potential device takeover.
If Mitigated
With proper network segmentation and access controls, impact is limited to the specific device, though credentials may still be compromised.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB. Attack requires only HTTP GET requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Check with Hisilicon for firmware updates or consider device replacement.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict access to the device's web interface using firewall rules or network segmentation.
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
CGI Endpoint Blocking
allBlock access to the vulnerable getadslattr.cgi endpoint using web server configuration or WAF rules.
location ~ /cgi-bin/getadslattr\.cgi { deny all; }
🧯 If You Can't Patch
- Isolate affected devices in a separate VLAN with strict firewall rules preventing external access
- Implement network monitoring for suspicious requests to /cgi-bin/getadslattr.cgi and alert on credential extraction attempts
🔍 How to Verify
Check if Vulnerable:
Send HTTP GET request to http://device_ip/cgi-bin/getadslattr.cgi and check if it returns ADSL configuration data without authentication.Check Version:
Check device web interface or firmware version in device settings. Command varies by device model.Verify Fix Applied:
After implementing workarounds, verify the endpoint returns access denied or connection refused when accessed.📡 Detection & Monitoring
Log Indicators:
- HTTP GET requests to /cgi-bin/getadslattr.cgi
- Unusual access patterns to configuration files
- Failed authentication attempts followed by CGI access
Network Indicators:
- HTTP traffic to port 80/443 with User-Agent strings containing exploit tools
- Outbound connections from device after credential extraction
SIEM Query:
source="web_logs" AND (url="/cgi-bin/getadslattr.cgi" OR url CONTAINS "getadslattr")