CVE-2019-25470: eWON Firmware 12.2-13.0 Authentication Bypass via wsdReadForm
eWON Firmware versions 12.2 to 13.0 contain an authentication bypass vulnerability that allows attackers with minimal privileges to retrieve sensitive user data by exploiting the wsdReadForm endpoint. Attackers can send POST requests to /wrcgi.bin/wsdReadForm with base64-encoded partial credentials and a crafted wsdList parameter to extract encrypted passwords for all users, which can be decrypted using a hardcoded XOR key.
Security readout for executives and security teams
Plain-English summary
CVE-2019-25470 lets an attacker bypass authentication on affected eWON firmware and retrieve sensitive user data. The source bundle says encrypted passwords for all users can be extracted and decrypted using a hardcoded XOR key. This is high business risk for reachable devices because account compromise may follow.
Executive priority
Treat as high priority for any reachable eWON deployment. The main risk is credential disclosure leading to broader unauthorized access, while evidence for active exploitation is not provided.
Technical view
eWON firmware 12.2 through 13.0 exposes an authentication bypass in /wrcgi.bin/wsdReadForm. Crafted POST requests using partial base64-encoded credentials and wsdList can retrieve encrypted user passwords. The weakness maps to CWE-798 and has CVSS 4.0 score 8.7. No patch version is identified in the provided sources.
Likely exposure
Organizations using eWON devices running firmware 12.2 to 13.0 are exposed if the affected endpoint is reachable by untrusted networks or users.
Exploitation context
The bundle cites ExploitDB-47380, indicating public exploit material exists. KEV is false, and the provided sources do not establish active exploitation in the wild.
Researcher notes
The key technical claim is authentication bypass plus recoverable encrypted passwords due to a hardcoded XOR key. Do not assume broader product impact beyond eWON firmware 12.2-13.0. Patch status is incomplete in the supplied evidence.
Mitigation direction
Identify all eWON devices and firmware versions.
Restrict access to eWON management interfaces and the affected endpoint.
Check eWON and VulnCheck guidance for fixed firmware or vendor mitigations.
Rotate affected credentials after remediation if exposure is suspected.
Review logs for suspicious requests to /wrcgi.bin/wsdReadForm.
Validation and detection
Confirm whether any device runs firmware 12.2 through 13.0.
Verify the affected endpoint is not reachable from untrusted networks.
Review access logs for unusual POST activity to wsdReadForm.
Confirm credential rotation occurred after remediation when exposure is plausible.
Track vendor guidance because no patch version is named here.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-798: Credential and account abuse lookup
Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-798 · source CWE mapping
Use of Hard-coded Credentials
Use of Hard-coded Credentials represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.