CVE-2025-57433
BaseFortify
Publication date: 2025-09-22
Last updated on: 2025-10-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 2wcom | ip-4c_firmware | 2.15.5 |
| 2wcom | ip-4c | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the 2wcom IP-4c 2.15.5 device's web interface, where an authenticated attacker, even with a low-privileged account like guest, can send a specially crafted POST request to a specific endpoint (/cwi/ajax_request/get_data.php) to retrieve hashed passwords for admin, manager, and guest accounts. This allows the attacker to potentially crack these hashes offline and gain administrative access to the device.
How can this vulnerability impact me? :
The vulnerability can significantly weaken the security of the affected device by allowing attackers to obtain hashed passwords of critical accounts. If these hashes are cracked, attackers can gain administrative access, potentially leading to unauthorized control, data theft, or disruption of device operations.