KYOCERA Net Admin 3.4.0906 contains a cross-site request forgery vulnerability that allows attackers to create administrative users without proper request validation. Attackers can craft malicious web pages that automatically submit forms to add new admin accounts with predefined credentials when a logged-in user visits the page.
PUBLISHED5.2CWE-352
KYOCERA Net Admin 3.4.0906 Cross-Site Request Forgery via User Administration
Problem type
Affected products
KYOCERA Corporation
KYOCERA Net Admin
3.4.0906 - AFFECTED
References
ExploitDB-44431
https://www.exploit-db.com/exploits/44431
KYOCERA Official Website
https://global.kyocera.com
Zero Science Lab Disclosure (ZSL-2018-5458)
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5458.php
GitHub Security Advisories
GHSA-gqfp-2982-4j8v
KYOCERA Net Admin 3.4.0906 contains a cross-site request forgery vulnerability that allows...
https://github.com/advisories/GHSA-gqfp-2982-4j8vKYOCERA Net Admin 3.4.0906 contains a cross-site request forgery vulnerability that allows attackers to create administrative users without proper request validation. Attackers can craft malicious web pages that automatically submit forms to add new admin accounts with predefined credentials when a logged-in user visits the page.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2019-25254Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2019-25254",
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"dateUpdated": "2025-12-24T20:21:49.801Z",
"dateReserved": "2025-12-24T14:27:12.478Z",
"datePublished": "2025-12-24T19:28:04.889Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck",
"dateUpdated": "2025-12-24T19:28:04.889Z"
},
"title": "KYOCERA Net Admin 3.4.0906 Cross-Site Request Forgery via User Administration",
"descriptions": [
{
"lang": "en",
"value": "KYOCERA Net Admin 3.4.0906 contains a cross-site request forgery vulnerability that allows attackers to create administrative users without proper request validation. Attackers can craft malicious web pages that automatically submit forms to add new admin accounts with predefined credentials when a logged-in user visits the page."
}
],
"affected": [
{
"vendor": "KYOCERA Corporation",
"product": "KYOCERA Net Admin",
"versions": [
{
"version": "3.4.0906",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Cross-Site Request Forgery (CSRF)",
"cweId": "CWE-352",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://www.exploit-db.com/exploits/44431",
"name": "ExploitDB-44431",
"tags": [
"exploit"
]
},
{
"url": "https://global.kyocera.com",
"name": "KYOCERA Official Website",
"tags": [
"product"
]
},
{
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5458.php",
"name": "Zero Science Lab Disclosure (ZSL-2018-5458)",
"tags": [
"third-party-advisory"
]
}
],
"metrics": [
{
"format": "CVSS"
},
{
"format": "CVSS",
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM"
}
}
],
"credits": [
{
"lang": "en",
"value": "LiquidWorm as Gjoko Krstic of Zero Science Lab",
"type": "finder"
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2025-12-24T20:21:49.801Z"
},
"title": "CISA ADP Vulnrichment",
"references": [
{
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5458.php",
"tags": [
"exploit"
]
}
],
"metrics": [
{}
]
}
]
}
}