cbcvebase.
CVE-2019-25246
published 2025-12-24

CVE-2019-25246: Beward N100 H.264 VGA IP Camera M2.1.6 contains an authenticated file disclosure vulnerability that allows attackers to read arbitrary system files via the…

PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
17.39%
96.7th percentile
Beward N100 H.264 VGA IP Camera M2.1.6 contains an authenticated file disclosure vulnerability that allows attackers to read arbitrary system files via the 'READ.filePath' parameter. Attackers can exploit the fileread script or SendCGICMD API to access sensitive files like /etc/passwd and /etc/issue by supplying absolute file paths.

Affected

1 ranges
VendorProductVersion rangeFixed in
beward_r_d_co_ltdn100_h.264_vga_ip_camera

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/operator/fileread?READ.filePath=/etc/passwd
path/cgi-bin/operator/fileread
otherAuthorization: Basic YWRtaW46YWRtaW4=
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Beward fileread READ.filepath Parameter Arbitrary File Disclosure Attempt (CVE-2019-25246)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/operator/fileread|3f|"; startswith; fast_pattern; content:"READ.filepath|3d|"; distance:0; reference:url,www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5511.php; reference:cve,2019-25246; classtype:attempted-admin; sid:2066568; rev:1; metadata:affected_product Beward, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_05, cve CVE_2019_25246, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets HTTP GET requests to /cgi-bin/operator/fileread with the READ.filePath (or READ.filepath) parameter set to an absolute file path (e.g., /etc/passwd). Detect by matching both the URI prefix and the parameter name.
  • Successful exploitation returns HTTP 200 with /etc/passwd content matching 'root:[x*]:0:0:' — use this regex as a response-side detection signal.
  • The Nuclei template uses a hardcoded Basic Auth header (Base64 of admin:admin) — presence of this header alongside the fileread URI is a strong indicator of automated exploitation.
  • The vulnerability also affects the SendCGICMD API endpoint in addition to the fileread script; monitor both for path traversal / absolute path parameters.
  • Snort/Suricata SID 2066568 (ET rule) covers this exploit in plaintext (non-TLS) traffic on perimeter and internal deployments.
  • ·The vulnerability requires authentication; the Nuclei template hardcodes admin:admin credentials. Detection rules should account for other valid credential combinations — exploitation is not limited to this default pair.
  • ·The ET Snort rule is scoped to plaintext (non-TLS) traffic only; encrypted sessions will not be detected by this signature.
  • ·The parameter name casing differs between sources ('READ.filePath' in the Nuclei template vs 'READ.filepath' in the Snort rule); detection logic should be case-insensitive to cover both variants.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.