cbcvebase.
CVE-2025-48047
published 2025-05-29

CVE-2025-48047: An authenticated user can perform command injection via unsanitized input to the NetFax Server’s ping functionality via the /test.php endpoint.

PriorityP261critical9.4CVSS 4.0
AVNACLATNPRHUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
11.72%
95.5th percentile
An authenticated user can perform command injection via unsanitized input to the NetFax Server’s ping functionality via the /test.php endpoint.

Affected

1 ranges
VendorProductVersion rangeFixed in
mici_network_co_ltdnetfax_server< 3.0.1.03.0.1.0

Detection & IOCsextracted from sources · hover to see the quote

snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Netfax test.php g_ETHNAMESERVER2 Parameter Command Injection Attempt M2 (CVE-2025-48047)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/test.php"; startswith; http.request_body; content:"g_ETHNAMESERVER2|3d|"; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.rapid7.com/blog/post/2025/05/29/cve-2025-48045-cve-2025-48046-cve-2025-48047-mici-netfax-server-product-vulnerabilities-not-fixed/; reference:cve,2025-48047; classtype:attempted-admin; sid:2062632; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Netfax test.php g_ETHNAMESERVER2 Parameter Command Injection Attempt M1 (CVE-2025-48047)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/test.php?"; startswith; content:"g_ETHNAMESERVER2|3d|"; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.rapid7.com/blog/post/2025/05/29/cve-2025-48045-cve-2025-48046-cve-2025-48047-mici-netfax-server-product-vulnerabilities-not-fixed/; reference:cve,2025-48047; classtype:attempted-admin; sid:2062631; rev:1;)
  • CVE-2025-48047 exploits the `g_ETHNAMESERVER2` POST body parameter in `/test.php` (M2 variant). Look for POST requests to `/test.php` containing `g_ETHNAMESERVER2=` followed by shell metacharacters: semicolon (`;`/`%3B`), newline (`\n`/`%0A`), backtick (`` ` ``/`%60`), pipe (`|`/`%7C`), or dollar sign (`$`/`%24`).
  • CVE-2025-48047 also has a GET variant (M1). Look for GET requests to `/test.php?` with `g_ETHNAMESERVER2=` in the URI query string followed by the same shell metacharacter set.
  • Traffic is expected in plaintext (non-TLS). Deploy detection at the network perimeter and internally.
  • ·The Snort/ET rules for CVE-2025-48047 (sids 2062631 and 2062632) use a PCRE anchored relative to the `g_ETHNAMESERVER2=` content match. Ensure your IDS/IPS engine supports `http.request_body` sticky buffer and relative PCRE (`/R` flag) for accurate matching of the POST variant.
  • ·The vendor has not fixed these vulnerabilities as of the disclosure date (2025-05-29). No patch is available; detection and network-level blocking are the primary mitigations.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.