V-SOL GPON/EPON OLT Platform 2.03 contains an unauthenticated information disclosure vulnerability that allows attackers to download configuration files via direct object reference. Attackers can retrieve sensitive configuration data by sending HTTP GET requests to the usrcfg.conf endpoint, potentially enabling authentication bypass and system access.
PUBLISHED5.2CWE-552
V-SOL GPON/EPON OLT Platform 2.03 Unauthenticated Configuration Download
Problem type
Affected products
Guangzhou V-SOLUTION Electronic Technology
GPON/EPON OLT Platform
V2.03.62R_IPv6 - AFFECTED
V2.03.54R - AFFECTED
V2.03.52R - AFFECTED
V2.03.49 - AFFECTED
V2.03.47 - AFFECTED
V2.03.40 - AFFECTED
V2.03.26 - AFFECTED
V2.03.24 - AFFECTED
V1.8.6 - AFFECTED
V1.4 - AFFECTED
References
ExploitDB-47433
https://www.exploit-db.com/exploits/47433
V-SOL Official Product Homepage
https://www.vsolcn.com
Zero Science Lab Disclosure (ZSL-2019-5534)
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5534.php
GitHub Security Advisories
GHSA-43qf-qj5j-5r47
V-SOL GPON/EPON OLT Platform 2.03 contains an unauthenticated information disclosure...
https://github.com/advisories/GHSA-43qf-qj5j-5r47V-SOL GPON/EPON OLT Platform 2.03 contains an unauthenticated information disclosure vulnerability that allows attackers to download configuration files via direct object reference. Attackers can retrieve sensitive configuration data by sending HTTP GET requests to the usrcfg.conf endpoint, potentially enabling authentication bypass and system access.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2019-25239Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2019-25239",
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"dateUpdated": "2025-12-24T20:23:32.107Z",
"dateReserved": "2025-12-24T14:27:12.476Z",
"datePublished": "2025-12-24T19:27:57.201Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck",
"dateUpdated": "2025-12-24T19:27:57.201Z"
},
"datePublic": "2019-09-27T00:00:00.000Z",
"title": "V-SOL GPON/EPON OLT Platform 2.03 Unauthenticated Configuration Download",
"descriptions": [
{
"lang": "en",
"value": "V-SOL GPON/EPON OLT Platform 2.03 contains an unauthenticated information disclosure vulnerability that allows attackers to download configuration files via direct object reference. Attackers can retrieve sensitive configuration data by sending HTTP GET requests to the usrcfg.conf endpoint, potentially enabling authentication bypass and system access."
}
],
"affected": [
{
"vendor": "Guangzhou V-SOLUTION Electronic Technology",
"product": "GPON/EPON OLT Platform",
"versions": [
{
"version": "V2.03.62R_IPv6",
"status": "affected"
},
{
"version": "V2.03.54R",
"status": "affected"
},
{
"version": "V2.03.52R",
"status": "affected"
},
{
"version": "V2.03.49",
"status": "affected"
},
{
"version": "V2.03.47",
"status": "affected"
},
{
"version": "V2.03.40",
"status": "affected"
},
{
"version": "V2.03.26",
"status": "affected"
},
{
"version": "V2.03.24",
"status": "affected"
},
{
"version": "V1.8.6",
"status": "affected"
},
{
"version": "V1.4",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Files or Directories Accessible to External Parties",
"cweId": "CWE-552",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://www.exploit-db.com/exploits/47433",
"name": "ExploitDB-47433",
"tags": [
"exploit"
]
},
{
"url": "https://www.vsolcn.com",
"name": "V-SOL Official Product Homepage",
"tags": [
"product"
]
},
{
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5534.php",
"name": "Zero Science Lab Disclosure (ZSL-2019-5534)",
"tags": [
"third-party-advisory"
]
}
],
"metrics": [
{
"format": "CVSS"
},
{
"format": "CVSS",
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH"
}
}
],
"credits": [
{
"lang": "en",
"value": "LiquidWorm as Gjoko Krstic of Zero Science Lab",
"type": "finder"
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2025-12-24T20:23:32.107Z"
},
"title": "CISA ADP Vulnrichment",
"references": [
{
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5534.php",
"tags": [
"exploit"
]
},
{
"url": "https://www.exploit-db.com/exploits/47433",
"tags": [
"exploit"
]
}
],
"metrics": [
{}
]
}
]
}
}