CVE-2019-25244

Overview

Legrand BTicino Driver Manager F454 (firmware version 1.0.51) contains multiple web vulnerabilities stemming from a lack of proper request validation. The device, an audio/video web server used for remote control of home automation systems, does not verify the origin or integrity of HTTP requests processed by its administrative interface. This allows attackers to perform actions with administrative privileges without proper authorization checks. [1][3]

Exploitation

Attackers can exploit cross-site request forgery (CSRF) to change both the web access password (via /system/password.save.php) and the OpenWebNet password (via /system/ownpassword.save.php) by luring an authenticated administrator into visiting a malicious page. Additionally, stored cross-site scripting (XSS) is possible because the application fails to sanitize GET parameters before storing them, allowing persistent injection of arbitrary JavaScript. No authentication is required to initiate the CSRF attack if the victim is already logged in, and the XSS can affect any user who accesses the compromised interface. [1][3]

Impact

Successful CSRF exploitation results in unauthorized password changes, effectively locking out the legitimate administrator or enabling further access. Stored XSS allows the attacker to execute arbitrary scripts in the context of any user's browser, potentially leading to session hijacking, data exfiltration, or further manipulation of device settings. Combined, these flaws compromise the confidentiality and integrity of the home automation system, with an attacker gaining near-full administrative control. [1][2][3]

Mitigation

The vendor (BTicino S.p.A.) has not released a patched firmware version as of the disclosure date (advisory published April 30, 2019). Given the lack of official update and the public availability of exploit code [3], users should consider isolating the device on a separate network segment, restricting administrative access to trusted IPs, and monitoring for unauthorized changes. Until a fix is provided, the device remains vulnerable to these attacks. [1][2][3]