CVE-2025-57199
published 2025-12-03CVE-2025-57199: AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the…
PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.96%
85.5th percentile
AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the NetFailDetectD binary. This vulnerability allows attackers to execute arbitrary commands via a crafted input.
Detection & IOCsextracted from sources · hover to see the quote
path/cgi-bin/user/Config.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS AvTech Config.cgi Network.NetworkFailureDetection.Address Parameter Command Injection Attempt (CVE-2025-57199)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:24; content:"/cgi-bin/user/Config.cgi"; fast_pattern; http.request_body; content:"action|3d|set"; content:"Network.NetworkFailureDetection.Address|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,xchg-rax-rax.github.io/2025/10/13/avtech_vulnerabilites.html; reference:cve,2025-57199; classtype:attempted-admin; sid:2066003; rev:1; metadata:affected_product AvTech, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_12_03, cve CVE_2025_57199, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_12_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit traffic is HTTP POST to /cgi-bin/user/Config.cgi with body containing 'action=set' and the 'Network.NetworkFailureDetection.Address' parameter followed by shell metacharacters (;, newline, backtick, pipe, $) — all potentially URL-encoded.
- →The vulnerable binary is 'NetFailDetectD'; process-level monitoring for unexpected child processes spawned by this binary can indicate exploitation. ↗
- →Exploitation requires authentication; monitor for authenticated sessions followed immediately by POST requests to Config.cgi with shell metacharacters in the Address parameter. ↗
- →Traffic is expected in plaintext (non-TLS); deploy detection at the network perimeter and internally.
- ·Exploitation requires prior authentication to the device; unauthenticated access alone is not sufficient to trigger the vulnerability. ↗
- ·The Snort/Suricata rule (SID 2066003) matches on a fixed URI byte-size of 24 for /cgi-bin/user/Config.cgi; any firmware variant that uses a different CGI path would evade this rule.
- ·Affected firmware is specifically identified as DGM1104 FullImg-1015-1004-1006-1003; other firmware versions or models are not confirmed vulnerable. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS AvTech Config.cgi Network.NetworkFailureDetection.Address Parameter Command Injection Attempt (CVE-2025-57199)
suricata·2025-12-03·CVSS 8.8
CVE-2025-57199 [HIGH] ET WEB_SPECIFIC_APPS AvTech Config.cgi Network.NetworkFailureDetection.Address Parameter Command Injection Attempt (CVE-2025-57199)
ET WEB_SPECIFIC_APPS AvTech Config.cgi Network.NetworkFailureDetection.Address Parameter Command Injection Attempt (CVE-2025-57199)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS AvTech Config.cgi Network.NetworkFailureDetection.Address Parameter Command Injection Attempt (CVE-2025-57199)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:24; content:"/cgi-bin/user/Config.cgi"; fast_pattern; http.request_body; content:"action|3d|set"; content:"Network.NetworkFailureDetection.Address|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,xchg-rax-rax.github.io/2025/10/13/avtech_vulnerabilites.html; reference:cve,2025-57199; classtype:attempted-admin; sid:2066003; rev:1; metadata:a
No public exploits indexed.
No writeups or analysis indexed.
2025-12-03
Published