Home

Description

Dongyoung Media DM-AP240T/W wireless access points contain an unauthenticated configuration disclosure vulnerability in the /cgi-bin/sys_system_config management endpoint. The endpoint allows remote retrieval of a compressed configuration archive without requiring authentication or authorization. The exposed configuration may include administrative credentials and other sensitive settings, enabling an unauthenticated attacker to obtain information that can facilitate further compromise of the device or network.

PUBLISHED Reserved 2025-11-26 | Published 2025-11-26 | Updated 2025-11-28 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-306 Missing Authentication for Critical Function

Product status

Default status
unknown

Any version
affected

Timeline

2019-10-03:Exploit is publicly disclosed

Credits

Todor Donev finder

References

packetstorm.news/files/id/154719/ exploit

cxsecurity.com/issue/WLB-2019100012 exploit

dongyoung.com/ product

www.vulncheck.com/...240tw-unauthenticated-config-disclosure third-party-advisory

cve.org (CVE-2019-25226)

nvd.nist.gov (CVE-2019-25226)

Download JSON