Cross-Site Request Forgery in Leica Geosystems GNSS Products
CVE-2019-25259

5.1MEDIUM

Key Information:

Vendor

Leica Geosystems Ag

Status
Leica Geosystems Gr10/gr25/gr30/gr50 Gnss
Vendor
CVE Published:
7 January 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2019-25259?

The Leica Geosystems GNSS products (GR10, GR25, GR30, and GR50) with version 4.30.063 are susceptible to a cross-site request forgery vulnerability. This flaw enables attackers to deceive authenticated users into executing unintended actions, effectively compromising the application’s security. By designing malicious web pages that send unverified requests, attackers can exploit this vulnerability to gain unauthorized administrative access, highlighting the importance of robust request validation mechanisms in web applications.

Affected Version(s)

Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063

Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.20.232

Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.11.606

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2019-25259 - Proof of Concept

CVE-2019-25259 - Proof of Concept

References

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-55...
third-party-advisory
https://www.exploit-db.com/exploits/46090
exploit
https://packetstormsecurity.com/files/151040
exploit

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

LiquidWorm as Gjoko Krstic of Zero Science Lab
JSON
.
CVE-2019-25259 : Cross-Site Request Forgery in Leica Geosystems GNSS Products