Platform
other
Component
facesentry-access-control-system
Fixed in
6.4.9
5.7.3
5.7.1
CVE-2019-25242 describes a cross-site request forgery (XSRF) vulnerability present in FaceSentry Access Control System versions up to 6.4.8. This flaw allows attackers to trick authenticated administrators into unknowingly executing malicious actions, potentially granting unauthorized access and control. The vulnerability was published on December 24, 2025, and a patch is available in version 6.4.9.
The primary impact of this XSRF vulnerability lies in the ability of an attacker to impersonate an authenticated administrator. By crafting malicious web pages, an attacker can induce a legitimate administrator to unknowingly execute commands that would otherwise require their explicit consent. This could include actions such as changing administrator passwords, adding new administrator accounts, or even opening access control doors, effectively bypassing security measures. The blast radius extends to the entire access control system, potentially compromising physical security and enabling unauthorized entry.
Public information regarding active exploitation of CVE-2019-25242 is currently limited. The vulnerability was published on December 24, 2025. It is not listed on the CISA KEV catalog at the time of writing. While no public proof-of-concept (PoC) code has been widely disseminated, the inherent nature of XSRF vulnerabilities makes it likely that an exploit could be developed relatively easily.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2019-25242 is to immediately upgrade FaceSentry Access Control System to version 6.4.9 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as requiring multi-factor authentication (MFA) for all administrative actions. Implementing strict input validation and output encoding can also help reduce the risk of XSRF attacks. Regularly review access control logs for any suspicious activity.
Update FaceSentry Access Control System to a version later than 6.4.8, 5.7.2, and 5.7.0. As a temporary measure, disable remote access to the web interface or implement CSRF protections.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-25242 is a cross-site request forgery vulnerability affecting FaceSentry Access Control System versions up to 6.4.8, allowing attackers to perform administrative actions without consent.
You are affected if you are using FaceSentry Access Control System version 6.4.8 or earlier. Upgrade to 6.4.9 to mitigate the risk.
Upgrade FaceSentry Access Control System to version 6.4.9 or later. As a temporary workaround, implement multi-factor authentication for administrative actions.
While no active exploitation has been widely reported, the vulnerability's nature makes it susceptible to exploitation. Monitor access logs for suspicious activity.
Refer to the FaceSentry official website or security advisory channels for the latest information and updates regarding CVE-2019-25242.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.