Authentication Bypass in devolo dLAN 500 AV Wireless+
CVE-2019-25249

8.7HIGH

Key Information:

Vendor

Devolo Ag

Status
Dlan 550 Duo+ Starter Kit
Vendor
CVE Published:
24 December 2025

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2019-25249?

The devolo dLAN 500 AV Wireless+ version 3.1.0-1 has a significant authentication bypass flaw that could allow attackers to manipulate system settings via the htmlmgr CGI script. This vulnerability permits unauthorized users to enable hidden services, including telnet and remote shell access, thereby gaining root permissions without requiring a password. Such access could lead to complete control over the device, posing a severe risk to the network's integrity and security.

Affected Version(s)

dLAN 550 duo+ Starter Kit 500 AV Wireless+ 3.1.0-1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2019-25249 - Proof of Concept

References

https://www.exploit-db.com/exploits/46325
exploit
https://www.devolo.com
product
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-55...
third-party-advisory

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Stefan Petrushevski aka sm @zeroscience
JSON
.
CVE-2019-25249 : Authentication Bypass in devolo dLAN 500 AV Wireless+