Devolo dLAN 500 AV Wireless+ 3.1.0-1 Cross-Site Request Forgery

Advisories

severity: medium
date: December 24, 2025
Affecting: dLAN 550 duo+ Starter Kit 500 AV Wireless+ 3.1.0-1
CVE: CVE-2019-25250
CWE: CWE-352 Cross-Site Request Forgery (CSRF)
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
References: ExploitDB-46324
Official Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5507)
Credit: Stefan Petrushevski aka sm @zeroscience
Description: Devolo dLAN 500 AV Wireless+ 3.1.0-1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages that trigger unauthorized configuration changes by exploiting predictable URL actions when a logged-in user visits the site.