CVE-2025-34023
BaseFortify
Publication date: 2025-06-20
Last updated on: 2025-11-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a path traversal flaw in the Karel IP1211 IP Phone's web management panel. It occurs because the /cgi-bin/cgiServer.exx endpoint does not properly sanitize user input to the 'page' parameter. Authenticated remote attackers can exploit this by sending specially crafted requests with path traversal sequences (like ../../) to access arbitrary files on the device's underlying system. This can lead to exposure of sensitive files such as /etc/passwd and /etc/shadow, which contain user account information and hashed passwords. [2, 3]
How can this vulnerability impact me? :
Exploiting this vulnerability allows an attacker with authentication (which can be achieved using default credentials) to access sensitive system files on the Karel IP1211 IP Phone. This can lead to disclosure of user account information and hashed passwords, potentially enabling further attacks such as privilege escalation or unauthorized access to the device and network. The exposure of these critical files poses a significant security risk to the confidentiality and integrity of the system. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access sensitive files through the vulnerable endpoint using crafted HTTP GET requests with path traversal payloads on the 'cgiServer.exx?page=' parameter. For example, using curl commands with authentication to test access to /etc/passwd or /etc/shadow files: 1) curl -u admin:admin 'http://[target IP]/cgi-bin/cgiServer.exx?page=../../../../../../../../../../../etc/passwd' 2) curl -u admin:admin 'http://[target IP]/cgi-bin/cgiServer.exx?page=../../../../../../../../../../../etc/shadow' If the contents of these files are returned, the system is vulnerable. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include changing default credentials (e.g., admin:admin) to strong, unique passwords to prevent unauthorized authenticated access. Additionally, restrict access to the web management panel to trusted networks only, and monitor for suspicious access attempts. Applying any available firmware or software updates from the vendor that address this vulnerability is also recommended. [2, 3]