cbcvebase.
CVE-2025-57199
published 2025-12-03

CVE-2025-57199: AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the…

PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.96%
85.5th percentile
AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the NetFailDetectD binary. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/user/Config.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS AvTech Config.cgi Network.NetworkFailureDetection.Address Parameter Command Injection Attempt (CVE-2025-57199)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:24; content:"/cgi-bin/user/Config.cgi"; fast_pattern; http.request_body; content:"action|3d|set"; content:"Network.NetworkFailureDetection.Address|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,xchg-rax-rax.github.io/2025/10/13/avtech_vulnerabilites.html; reference:cve,2025-57199; classtype:attempted-admin; sid:2066003; rev:1; metadata:affected_product AvTech, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_12_03, cve CVE_2025_57199, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_12_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit traffic is HTTP POST to /cgi-bin/user/Config.cgi with body containing 'action=set' and the 'Network.NetworkFailureDetection.Address' parameter followed by shell metacharacters (;, newline, backtick, pipe, $) — all potentially URL-encoded.
  • The vulnerable binary is 'NetFailDetectD'; process-level monitoring for unexpected child processes spawned by this binary can indicate exploitation.
  • Exploitation requires authentication; monitor for authenticated sessions followed immediately by POST requests to Config.cgi with shell metacharacters in the Address parameter.
  • Traffic is expected in plaintext (non-TLS); deploy detection at the network perimeter and internally.
  • ·Exploitation requires prior authentication to the device; unauthenticated access alone is not sufficient to trigger the vulnerability.
  • ·The Snort/Suricata rule (SID 2066003) matches on a fixed URI byte-size of 24 for /cgi-bin/user/Config.cgi; any firmware variant that uses a different CGI path would evade this rule.
  • ·Affected firmware is specifically identified as DGM1104 FullImg-1015-1004-1006-1003; other firmware versions or models are not confirmed vulnerable.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.