CVE-2025-34023
published 2025-06-20CVE-2025-34023: A path traversal vulnerability exists in the Karel IP1211 IP Phone's web management panel. The /cgi-bin/cgiServer.exx endpoint fails to properly sanitize user…
PriorityP278high8.5CVSS 4.0
AVNACLATNPRLUINVCHVINVANSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.41%
69.3th percentile
A path traversal vulnerability exists in the Karel IP1211 IP Phone's web management panel. The /cgi-bin/cgiServer.exx endpoint fails to properly sanitize user input to the page parameter, allowing remote authenticated attackers to access arbitrary files on the underlying system by using crafted path traversal sequences. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC.
Detection & IOCsextracted from sources · hover to see the quote
yara↗
regex: root:[x*]:0:0
- →Detect exploitation attempts by monitoring GET requests to /cgi-bin/cgiServer.exx with path traversal sequences (e.g., ../) in the 'page' parameter. ↗
- →Alert on HTTP 200 responses from /cgi-bin/cgiServer.exx that contain the string matching 'root:[x*]:0:0', indicating successful /etc/passwd file disclosure. ↗
- →Active exploitation of this vulnerability was observed in the wild; prioritize detection on internet-exposed Karel IP1211 devices. ↗
- →The default credential Base64 value 'YWRtaW46YWRtaW4=' decodes to 'admin:admin'; monitor for authentication attempts using this credential against the management panel. ↗
- ·The vulnerability requires authentication (remote authenticated attackers), but the Nuclei template uses the default credential 'admin:admin', suggesting exploitation is trivial on devices with unchanged default credentials. ↗
- ·The CVSS metadata in the template is marked PR:N (no privileges required), which conflicts with the NVD description stating authentication is required; detections should account for both authenticated and unauthenticated scenarios. ↗
CVSS provenance
nvdv4.08.5HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-37m2-9j5v-c4v4: A path traversal vulnerability exists in the Karel IP1211 IP Phone's web management panel
ghsa_unreviewed·2025-06-20
CVE-2025-34023 [HIGH] CWE-22 GHSA-37m2-9j5v-c4v4: A path traversal vulnerability exists in the Karel IP1211 IP Phone's web management panel
A path traversal vulnerability exists in the Karel IP1211 IP Phone's web management panel. The /cgi-bin/cgiServer.exx endpoint fails to properly sanitize user input to the page parameter, allowing remote authenticated attackers to access arbitrary files on the underlying system by using crafted path traversal sequences (e.g., ../../). This can expose sensitive files such as /etc/passwd and /etc/shadow.
VulnCheck
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2025·CVSS 8.5
CVE-2025-34023 [HIGH] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
A path traversal vulnerability exists in the Karel IP1211 IP Phone's web management panel. The /cgi-bin/cgiServer.exx endpoint fails to properly sanitize user input to the page parameter, allowing remote authenticated attackers to access arbitrary files on the underlying system by using crafted path traversal sequences. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC.
Affected: Karel IP1211 IP Phone's Web Management Panel
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://vulncheck.com/advisories/karel-ip-phone-path-traversal; https://ww
No detection rules found.
Nuclei
Karel IP Phone IP1211 Web Management Panel - Local File Inclusion
nuclei·CVSS 8.5
CVE-2025-34023 [HIGH] Karel IP Phone IP1211 Web Management Panel - Local File Inclusion
Karel IP Phone IP1211 Web Management Panel - Local File Inclusion
Karel IP Phone IP1211 Web Management Panel is vulnerable to local file inclusion and can allow remote attackers to access arbitrary files stored on the remote device via the 'cgiServer.exx' endpoint and the 'page' parameter.
Template:
id: CVE-2025-34023
info:
name: Karel IP Phone IP1211 Web Management Panel - Local File Inclusion
author: 0x_Akoko
severity: high
description: Karel IP Phone IP1211 Web Management Panel is vulnerable to local file inclusion and can allow remote attackers to access arbitrary files stored on the remote device via the 'cgiServer.exx' endpoint and the 'page' parameter.
impact: |
Attackers can read arbitrary files including sensitive configuration and credential files stored on the device through
2025-06-20
Published
Exploited in the wild