CVE-2025-48047
published 2025-05-29CVE-2025-48047: An authenticated user can perform command injection via unsanitized input to the NetFax Server’s ping functionality via the /test.php endpoint.
PriorityP261critical9.4CVSS 4.0
AVNACLATNPRHUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
11.72%
95.5th percentile
An authenticated user can perform command injection via unsanitized input to the NetFax Server’s ping functionality via the /test.php endpoint.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mici_network_co_ltd | netfax_server | < 3.0.1.0 | 3.0.1.0 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Netfax test.php g_ETHNAMESERVER2 Parameter Command Injection Attempt M2 (CVE-2025-48047)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/test.php"; startswith; http.request_body; content:"g_ETHNAMESERVER2|3d|"; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.rapid7.com/blog/post/2025/05/29/cve-2025-48045-cve-2025-48046-cve-2025-48047-mici-netfax-server-product-vulnerabilities-not-fixed/; reference:cve,2025-48047; classtype:attempted-admin; sid:2062632; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Netfax test.php g_ETHNAMESERVER2 Parameter Command Injection Attempt M1 (CVE-2025-48047)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/test.php?"; startswith; content:"g_ETHNAMESERVER2|3d|"; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.rapid7.com/blog/post/2025/05/29/cve-2025-48045-cve-2025-48046-cve-2025-48047-mici-netfax-server-product-vulnerabilities-not-fixed/; reference:cve,2025-48047; classtype:attempted-admin; sid:2062631; rev:1;)
- →CVE-2025-48047 exploits the `g_ETHNAMESERVER2` POST body parameter in `/test.php` (M2 variant). Look for POST requests to `/test.php` containing `g_ETHNAMESERVER2=` followed by shell metacharacters: semicolon (`;`/`%3B`), newline (`\n`/`%0A`), backtick (`` ` ``/`%60`), pipe (`|`/`%7C`), or dollar sign (`$`/`%24`).
- →CVE-2025-48047 also has a GET variant (M1). Look for GET requests to `/test.php?` with `g_ETHNAMESERVER2=` in the URI query string followed by the same shell metacharacter set.
- →Traffic is expected in plaintext (non-TLS). Deploy detection at the network perimeter and internally.
- ·The Snort/ET rules for CVE-2025-48047 (sids 2062631 and 2062632) use a PCRE anchored relative to the `g_ETHNAMESERVER2=` content match. Ensure your IDS/IPS engine supports `http.request_body` sticky buffer and relative PCRE (`/R` flag) for accurate matching of the POST variant.
- ·The vendor has not fixed these vulnerabilities as of the disclosure date (2025-05-29). No patch is available; detection and network-level blocking are the primary mitigations.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Netfax test.php g_ETHNAMESERVER2 Parameter Command Injection Attempt M2 (CVE-2025-48047)
suricata·2025-05-29·CVSS 9.4
CVE-2025-48047 [CRITICAL] ET WEB_SPECIFIC_APPS Netfax test.php g_ETHNAMESERVER2 Parameter Command Injection Attempt M2 (CVE-2025-48047)
ET WEB_SPECIFIC_APPS Netfax test.php g_ETHNAMESERVER2 Parameter Command Injection Attempt M2 (CVE-2025-48047)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Netfax test.php g_ETHNAMESERVER2 Parameter Command Injection Attempt M2 (CVE-2025-48047)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/test.php"; startswith; http.request_body; content:"g_ETHNAMESERVER2|3d|"; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.rapid7.com/blog/post/2025/05/29/cve-2025-48045-cve-2025-48046-cve-2025-48047-mici-netfax-server-product-vulnerabilities-not-fixed/; reference:cve,2025-48047; classtype:attempted-admin; sid:2062632; rev:1; metadata:affected_product NetFax, attack_
Suricata
ET WEB_SPECIFIC_APPS Netfax client.php Admin Credentials Disclosure Attempt (CVE-2025-48045)
suricata·2025-05-29·CVSS 8.7
CVE-2025-48045 [HIGH] ET WEB_SPECIFIC_APPS Netfax client.php Admin Credentials Disclosure Attempt (CVE-2025-48045)
ET WEB_SPECIFIC_APPS Netfax client.php Admin Credentials Disclosure Attempt (CVE-2025-48045)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Netfax client.php Admin Credentials Disclosure Attempt (CVE-2025-48045)"; flow:established,to_server; flowbits:set,ET.Netfax.Info_disclosure; http.method; content:"GET"; http.uri; content:"/client.php?"; startswith; content:"_dc"; content:"_type|3d|info"; fast_pattern; reference:url,www.rapid7.com/blog/post/2025/05/29/cve-2025-48045-cve-2025-48046-cve-2025-48047-mici-netfax-server-product-vulnerabilities-not-fixed/; reference:cve,2025-48045; classtype:attempted-admin; sid:2062628; rev:1; metadata:affected_product NetFax, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_05_29, cve CVE_2025_48045, deployment
Suricata
ET WEB_SPECIFIC_APPS Netfax client.php Successful Admin Credentials Disclosure Response (CVE-2025-48045)
suricata·2025-05-29·CVSS 8.7
CVE-2025-48045 [HIGH] ET WEB_SPECIFIC_APPS Netfax client.php Successful Admin Credentials Disclosure Response (CVE-2025-48045)
ET WEB_SPECIFIC_APPS Netfax client.php Successful Admin Credentials Disclosure Response (CVE-2025-48045)
Rule: alert http $HOME_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Netfax client.php Successful Admin Credentials Disclosure Response (CVE-2025-48045)"; flow:established,to_client; flowbits:isset,ET.Netfax.Info_disclosure; http.stat_code; content:"200"; http.response_body; content:"|22|username|3d|"; content:"|3b|password|3d|"; content:"|22|name|22 3a 20 22|NetFax"; fast_pattern; content:"|22|file|22 3a 20 22|client/setup.desc|22|"; reference:url,www.rapid7.com/blog/post/2025/05/29/cve-2025-48045-cve-2025-48046-cve-2025-48047-mici-netfax-server-product-vulnerabilities-not-fixed/; reference:cve,2025-48045; classtype:trojan-activity; sid:2062629; rev:1; metadata:affected_product NetFax
Suricata
ET WEB_SPECIFIC_APPS Netfax test.php g_ETHNAMESERVER2 Parameter Command Injection Attempt M1 (CVE-2025-48047)
suricata·2025-05-29·CVSS 9.4
CVE-2025-48047 [CRITICAL] ET WEB_SPECIFIC_APPS Netfax test.php g_ETHNAMESERVER2 Parameter Command Injection Attempt M1 (CVE-2025-48047)
ET WEB_SPECIFIC_APPS Netfax test.php g_ETHNAMESERVER2 Parameter Command Injection Attempt M1 (CVE-2025-48047)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Netfax test.php g_ETHNAMESERVER2 Parameter Command Injection Attempt M1 (CVE-2025-48047)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/test.php?"; startswith; content:"g_ETHNAMESERVER2|3d|"; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.rapid7.com/blog/post/2025/05/29/cve-2025-48045-cve-2025-48046-cve-2025-48047-mici-netfax-server-product-vulnerabilities-not-fixed/; reference:cve,2025-48047; classtype:attempted-admin; sid:2062631; rev:1; metadata:affected_product NetFax, attack_target Networking_E
Suricata
ET WEB_SPECIFIC_APPS Netfax config.php Successful SMTP Disclosure Response (CVE-2025-48046)
suricata·2025-05-29·CVSS 5.3
CVE-2025-48046 [MEDIUM] ET WEB_SPECIFIC_APPS Netfax config.php Successful SMTP Disclosure Response (CVE-2025-48046)
ET WEB_SPECIFIC_APPS Netfax config.php Successful SMTP Disclosure Response (CVE-2025-48046)
Rule: alert http $HOME_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Netfax config.php Successful SMTP Disclosure Response (CVE-2025-48046)"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|22|g_MAILSMTP|22 3a 22|"; fast_pattern; content:"|22|g_SMTPUSER|22 3a 22|"; content:"|22|g_SMTPPASSWORD|22 3a 22|"; reference:url,www.rapid7.com/blog/post/2025/05/29/cve-2025-48045-cve-2025-48046-cve-2025-48047-mici-netfax-server-product-vulnerabilities-not-fixed/; reference:cve,2025-48046; classtype:trojan-activity; sid:2062630; rev:1; metadata:affected_product NetFax, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_05_29, cve CVE_2025_48046, dep
No public exploits indexed.
No writeups or analysis indexed.
2025-05-29
Published