CVE-2019-25252

Teradek VidiU Pro 3.0.3 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft malicious web pages that automatically submit password change requests to the device when a logged-in administrator visits the page.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.exploit-db.com/exploits/44671	Exploit
https://www.teradek.com	Product
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5460.php	Exploit Third Party Advisory
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5460.php	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:o:teradek:vidiu_pro_firmware:2.4.10:::::::*
	cpe:2.3:o:teradek:vidiu_pro_firmware:3.0.2:build31225::::::
	cpe:2.3:o:teradek:vidiu_pro_firmware:3.0.3:build32136::::::

cpe:2.3:h:teradek:vidiu_pro:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

OR	cpe:2.3:o:teradek:vidiu_firmware:2.4.10:::::::*
	cpe:2.3:o:teradek:vidiu_firmware:3.0.2:build31225::::::
	cpe:2.3:o:teradek:vidiu_firmware:3.0.3:build32136::::::

cpe:2.3:h:teradek:vidiu:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

OR	cpe:2.3:o:teradek:vidiu_mini_firmware:2.4.10:::::::*
	cpe:2.3:o:teradek:vidiu_mini_firmware:3.0.2:build31225::::::
	cpe:2.3:o:teradek:vidiu_mini_firmware:3.0.3:build32136::::::

cpe:2.3:h:teradek:vidiu_mini:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-12-24 20:15

Updated : 2026-01-26 16:15

NVD link : CVE-2019-25252

Mitre link : CVE-2019-25252

CVE.ORG link : CVE-2019-25252

JSON object : View

Products Affected

teradek

vidiu_pro
vidiu_mini
vidiu_firmware
vidiu_mini_firmware
vidiu
vidiu_pro_firmware

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2019-25252", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-12-24T20:15:53.700", "references": [{"url": "https://www.exploit-db.com/exploits/44671", "tags": ["Exploit"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.teradek.com", "tags": ["Product"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5460.php", "tags": ["Exploit", "Third Party Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5460.php", "tags": ["Exploit", "Third Party Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Teradek VidiU Pro 3.0.3 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft malicious web pages that automatically submit password change requests to the device when a logged-in administrator visits the page."}], "lastModified": "2026-01-26T16:15:54.310", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:teradek:vidiu_pro_firmware:2.4.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AB502907-F471-4CD6-96DB-482B8E0E1D74"}, {"criteria": "cpe:2.3:o:teradek:vidiu_pro_firmware:3.0.2:build31225:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3E2233DB-2467-4595-B0C5-AD15019F0EED"}, {"criteria": "cpe:2.3:o:teradek:vidiu_pro_firmware:3.0.3:build32136:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ADC66DD8-EA14-47C0-8C31-C1B472FB7CC4"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:teradek:vidiu_pro:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "58CE55D2-C40E-4D63-ACA4-CCC076ACF6BD"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:teradek:vidiu_firmware:2.4.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9CF9D82E-74EA-4BC6-8BA2-13421428591A"}, {"criteria": "cpe:2.3:o:teradek:vidiu_firmware:3.0.2:build31225:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "20A7FFB3-8409-47F4-B4CC-1E2E61DB06F9"}, {"criteria": "cpe:2.3:o:teradek:vidiu_firmware:3.0.3:build32136:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "287269D2-ECA3-49B5-AA3D-0BE655AC50CC"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:teradek:vidiu:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "DC6A98F2-4C8D-4E91-9E8C-8503F8ABEEBD"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:teradek:vidiu_mini_firmware:2.4.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6A6176D1-8E72-4146-8C8D-758EB9D17DBC"}, {"criteria": "cpe:2.3:o:teradek:vidiu_mini_firmware:3.0.2:build31225:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "542AECA0-5850-449F-90DC-2CE286C1B9CC"}, {"criteria": "cpe:2.3:o:teradek:vidiu_mini_firmware:3.0.3:build32136:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "318A8078-6BA8-4CB3-BF9A-3EA28C5FD690"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:teradek:vidiu_mini:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8D11D449-7AD2-419F-A514-004979C34C73"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "disclosure@vulncheck.com"}