cbcvebase.
CVE-2025-57198
published 2025-12-03

CVE-2025-57198: AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the Machine.cgi…

PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.33%
81.4th percentile
AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the Machine.cgi endpoint. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/user/Config.cgi
pathMachine.cgi
commandaction=set (POST body) with Network.FTP.* parameters containing shell metacharacters (;, \n, `, |, $)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS AvTech Config.cgi Network.FTP Multiple Parameters Command Injection Attempt (CVE-2025-57198)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:24; content:"/cgi-bin/user/Config.cgi"; fast_pattern; http.request_body; content:"action|3d|set"; pcre:"/Network\x2eFTP\x2e.*\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,xchg-rax-rax.github.io/2025/10/13/avtech_vulnerabilites.html; reference:cve,2025-57198; classtype:attempted-admin; sid:2066000; rev:1;)
  • Look for HTTP POST requests to /cgi-bin/user/Config.cgi with a body containing 'action=set' and Network.FTP.* parameters that include shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24) — both raw and URL-encoded forms should be matched.
  • The vulnerability is authenticated command injection; monitor for authenticated sessions making POST requests to Machine.cgi or Config.cgi endpoints on AVTECH DGM1104 devices running firmware FullImg-1015-1004-1006-1003.
  • The Snort/Suricata rule (ET sid:2066000) targets plaintext HTTP only (tls_state plaintext); ensure inspection is also applied on internal segments, not just the perimeter, as both deployment contexts are flagged.
  • URI length for /cgi-bin/user/Config.cgi is exactly 24 bytes (bsize:24); use this fixed-length constraint to reduce false positives in URI-based detection.
  • ·The NVD description references 'Machine.cgi' as the vulnerable endpoint, but the Emerging Threats Snort rule targets 'Config.cgi' with Network.FTP parameters. Both endpoints on AVTECH DGM1104 firmware FullImg-1015-1004-1006-1003 should be considered in scope; detection coverage may need to address both paths.
  • ·Exploitation requires prior authentication ('authenticated command injection'), so detections based solely on the HTTP request pattern may miss cases where attacker sessions blend with legitimate admin traffic. Correlate with authentication events.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.