← back
CVE-2019-25249

devolo dLAN 500 AV Wireless+ 3.1.0-1 Remote Code Execution via htmlmgr

CVSS 8.7 HIGHEPSS 0.4%CWE-266
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.7EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
24 Dec 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
devolo dLAN 500 AV Wireless+ 3.1.0-1 contains an authentication bypass vulnerability that allows attackers to enable hidden services through the htmlmgr CGI script. Attackers can enable telnet and remote shell services, reboot the device, and gain root access without a password by manipulating system configuration parameters.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
devolo AG · dLAN 550 duo+ Starter Kit

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.devolo.comhttps://www.exploit-db.com/exploits/46325https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5508.php