CVE-2019-25470
📋 TL;DR
This authentication bypass vulnerability in eWON industrial routers allows attackers with minimal privileges to retrieve and decrypt all user passwords. Attackers can exploit the wsdReadForm endpoint to extract sensitive credentials, potentially gaining full administrative access. Organizations using eWON firmware versions 12.2 through 13.0 are affected.
💻 Affected Systems
- eWON industrial routers and gateways
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial control systems, unauthorized access to critical infrastructure, data exfiltration, and potential physical damage to industrial processes.
Likely Case
Attackers gain administrative access to eWON devices, allowing them to modify configurations, intercept network traffic, and pivot to other industrial systems.
If Mitigated
Limited to credential exposure without lateral movement if proper network segmentation and access controls are implemented.
🎯 Exploit Status
Exploit requires minimal privileges and uses simple HTTP POST requests with base64 encoding. Public exploit code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.0s or later
Vendor Advisory: https://www.ewon.biz
Restart Required: Yes
Instructions:
1. Download latest firmware from eWON support portal. 2. Backup current configuration. 3. Upload and install new firmware via web interface. 4. Reboot device. 5. Verify firmware version is 13.0s or higher.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict access to eWON web interface to trusted IP addresses only
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disable Unused Accounts
allRemove or disable all non-essential user accounts to limit credential exposure
🧯 If You Can't Patch
- Implement strict network segmentation to isolate eWON devices from critical systems
- Enable multi-factor authentication if supported and monitor for suspicious authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface at System > About. If version is between 12.2 and 13.0 inclusive, device is vulnerable.Check Version:
curl -k https://<device_ip>/cgi-bin/status | grep FirmwareVerify Fix Applied:
Verify firmware version is 13.0s or higher. Test that POST requests to /wrcgi.bin/wsdReadForm no longer return encrypted passwords.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wrcgi.bin/wsdReadForm
- Unusual authentication patterns or privilege escalation
Network Indicators:
- HTTP POST requests with base64-encoded credentials to wsdReadForm endpoint
- Unusual outbound connections from eWON devices
SIEM Query:
source="ewon_logs" AND (uri="/wrcgi.bin/wsdReadForm" OR method="POST" AND uri CONTAINS "wsdReadForm")