cbcvebase.
CVE-2025-34023
published 2025-06-20

CVE-2025-34023: A path traversal vulnerability exists in the Karel IP1211 IP Phone's web management panel. The /cgi-bin/cgiServer.exx endpoint fails to properly sanitize user…

PriorityP278high8.5CVSS 4.0
AVNACLATNPRLUINVCHVINVANSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.41%
69.3th percentile
A path traversal vulnerability exists in the Karel IP1211 IP Phone's web management panel. The /cgi-bin/cgiServer.exx endpoint fails to properly sanitize user input to the page parameter, allowing remote authenticated attackers to access arbitrary files on the underlying system by using crafted path traversal sequences. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC.

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/cgiServer.exx?page=../../../../../../../../../../../etc/passwd
path/cgi-bin/cgiServer.exx
yara
regex: root:[x*]:0:0
  • Detect exploitation attempts by monitoring GET requests to /cgi-bin/cgiServer.exx with path traversal sequences (e.g., ../) in the 'page' parameter.
  • Alert on HTTP 200 responses from /cgi-bin/cgiServer.exx that contain the string matching 'root:[x*]:0:0', indicating successful /etc/passwd file disclosure.
  • Active exploitation of this vulnerability was observed in the wild; prioritize detection on internet-exposed Karel IP1211 devices.
  • The default credential Base64 value 'YWRtaW46YWRtaW4=' decodes to 'admin:admin'; monitor for authentication attempts using this credential against the management panel.
  • ·The vulnerability requires authentication (remote authenticated attackers), but the Nuclei template uses the default credential 'admin:admin', suggesting exploitation is trivial on devices with unchanged default credentials.
  • ·The CVSS metadata in the template is marked PR:N (no privileges required), which conflicts with the NVD description stating authentication is required; detections should account for both authenticated and unauthenticated scenarios.

CVSS provenance

nvdv4.08.5HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.