INIM Electronics Smartliving SmartLAN/G/SI <=6.x Unauthenticated SSRF via GetImage

Advisories

severity: medium
date: January 7, 2026
Affecting: Smartliving SmartLAN/G/SI <=6.x, 505, 515, 1050, 1050/G3, 10100L, 10100L/G3
CVE: CVE-2019-25290
CWE: CWE-918 Server-Side Request Forgery (SSRF)
CVSS: 6.9
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
References: Zero Science Lab Vulnerability Advisory
Exploit Database Entry 47764
Packet Storm Security Exploit File
IBM X-Force Vulnerability Exchange Entry
INIM Vendor Homepage
Credit: Sipke Mellema
Description: Smartliving SmartLAN/G/SI <=6.x contains an unauthenticated server-side request forgery vulnerability in the GetImage functionality through the 'host' parameter. Attackers can exploit the onvif.cgi endpoint by specifying external domains to bypass firewalls and perform network enumeration through arbitrary HTTP requests.