CVE-2019-25250

Cross-Site

Request Forgery in devolo dLAN 500 AV Wireless+

The devolo dLAN 500 AV Wireless+ (version 3.1.0-1) contains a cross-site request forgery (CSRF) vulnerability because the web application fails to validate the origin or authenticity of HTTP requests. The device uses predictable URL patterns and form actions, and although a _csrf parameter exists in requests, it is never checked for validity or even a value [1][3]. This means an attacker can craft arbitrary POST requests that mimic legitimate administrative actions without any anti-CSRF protection.

Attack

Vector and Prerequisites

To exploit this vulnerability, an attacker must lure an authenticated administrator of the devolo device to visit a malicious web page (or be on the same local network and use a man-in-the-middle technique). The malicious page can then silently issue HTTP requests to the device's CGI interface (e.g., http://DEVOLO-IP/cgi-bin/htmlmgr) using the victim's authenticated session, because the browser automatically includes any cookies or session tokens for the target host. No additional authentication or secret is needed—the request is accepted as legitimate because the session is valid [1][3].

Impact

A successful CSRF attack allows an attacker to modify various device configuration settings with administrative privileges. For example, the proof-of-concept request changes the NTP server, time zone, and other parameters via the NTPClient settings [3]. Beyond time settings, an attacker could alter other critical parameters, potentially disrupting network operation, enabling further attacks (e.g., changing DNS servers for phishing), or weakening security controls. Since the attack is performed in the context of the logged-in admin, the device has no way to distinguish the forged request from a legitimate one.

Mitigation

Status

The vulnerability was publicly disclosed by Zero Science Lab in 2017 after the vendor did not respond within a reasonable timeframe [1]. An exploit has been published on Exploit-DB [3]. As of the CVE publication date (2025-12-24), no patched firmware version has been identified; users should restrict access to the device's web interface to trusted networks only and avoid browsing untrusted sites while logged in.