CVE-2019-25313: FlexNet Publisher CSRF Vulnerability

CVE-2019-25313 Overview

CVE-2019-25313 is a Cross-Site Request Forgery (CSRF) vulnerability affecting FlexNet Publisher 11.12.1. This vulnerability allows remote attackers to create administrative user accounts without authentication by crafting malicious HTML forms that trick authenticated users into submitting requests. When exploited, attackers can create new local admin accounts with predefined passwords, potentially leading to complete administrative control over the affected system.

Critical Impact

Successful exploitation allows attackers to create unauthorized administrative accounts, enabling full control over FlexNet Publisher licensing infrastructure and potentially compromising software licensing across the organization.

Affected Products

• FlexNet Publisher version 11.12.1
• Flexera FlexNet Licensing components

Discovery Timeline

• 2026-02-11 - CVE-2019-25313 published to NVD
• 2026-02-12 - Last updated in NVD database

Technical Details for CVE-2019-25313

Vulnerability Analysis

This Cross-Site Request Forgery (CSRF) vulnerability exists in FlexNet Publisher 11.12.1's administrative interface. The application fails to implement proper anti-CSRF tokens or validate the origin of requests when processing account creation operations. This allows attackers to craft malicious web pages containing hidden forms that, when visited by an authenticated administrator, automatically submit requests to create new administrative accounts with attacker-controlled credentials.

The vulnerability is classified under CWE-352 (Cross-Site Request Forgery), which occurs when a web application does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Root Cause

The root cause of CVE-2019-25313 is the absence of CSRF protection mechanisms in the FlexNet Publisher administrative interface. The application does not implement anti-CSRF tokens, same-site cookie attributes, or origin header validation when processing sensitive administrative operations such as user account creation. This allows state-changing requests to be forged by malicious third-party websites.

Attack Vector

The attack requires the victim (an authenticated FlexNet Publisher administrator) to visit a malicious website while their session is active. The attacker's page contains a hidden HTML form that automatically submits a POST request to the FlexNet Publisher administrative endpoint responsible for user creation. Since the victim's browser automatically includes session cookies with the request, the server processes it as a legitimate administrative action, creating a new admin account with the attacker's specified credentials.

The attack is network-based and requires user interaction (visiting the malicious page), but does not require any privileges on the target system. Once the malicious admin account is created, the attacker can authenticate directly and gain full administrative access to the FlexNet Publisher instance.

For detailed technical information about this vulnerability, see the VulnCheck Advisory on FlexNet Publisher and Exploit-DB #47986.

Detection Methods for CVE-2019-25313

Indicators of Compromise

• Unexpected administrative user accounts appearing in FlexNet Publisher user management
• User accounts with suspicious or generic names created without administrator knowledge
• Authentication logs showing new admin account creation requests originating from unusual referrer headers
• Web server logs indicating POST requests to user creation endpoints with external referrer origins

Detection Strategies

• Monitor FlexNet Publisher user creation events and alert on any new administrative accounts
• Implement web application firewall (WAF) rules to detect and block requests with suspicious or missing referrer headers to sensitive endpoints
• Review web server access logs for patterns indicating CSRF attacks, such as POST requests to administrative endpoints with external referrers
• Deploy SentinelOne Singularity to detect suspicious process behavior and unauthorized access patterns

Monitoring Recommendations

• Enable comprehensive logging for all FlexNet Publisher administrative actions
• Configure alerts for any new user account creation events, particularly those with administrative privileges
• Regularly audit the FlexNet Publisher user database for unauthorized accounts
• Implement session monitoring to detect unusual administrative session patterns

How to Mitigate CVE-2019-25313

Immediate Actions Required

• Audit existing FlexNet Publisher user accounts and remove any unauthorized administrative accounts
• Restrict network access to FlexNet Publisher administrative interfaces to trusted IP addresses only
• Implement a web application firewall (WAF) with CSRF protection rules in front of FlexNet Publisher
• Educate administrators about CSRF risks and avoiding untrusted links while authenticated to administrative interfaces
• Consider upgrading to a newer version of FlexNet Publisher that includes CSRF protections

Patch Information

Organizations should contact Flexera Software for information about patched versions of FlexNet Publisher. Review the Flexera FlexNet Licensing Product page for the latest security updates and version information.

Workarounds

• Deploy a reverse proxy or WAF with CSRF token enforcement in front of FlexNet Publisher administrative interfaces
• Implement network segmentation to restrict access to administrative endpoints from trusted management networks only
• Require administrators to use dedicated browsers or browser profiles exclusively for FlexNet Publisher administration
• Configure strict same-site cookie policies at the reverse proxy level if possible

# Example: Restrict administrative interface access using iptables
# Allow only trusted management network (192.168.10.0/24) to access FlexNet Publisher admin port
iptables -A INPUT -p tcp --dport 8090 -s 192.168.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8090 -j DROP