CVE-2025-57201
published 2025-12-03CVE-2025-57201: AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the SMB server…
PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
7.13%
93.5th percentile
AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the SMB server function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.
Detection & IOCsextracted from sources · hover to see the quote
path/cgi-bin/user/Config.cgi
commandaction=set&Network.NetworkShare.<param>=<value>[;|\n|`||$]
- →Look for HTTP POST requests to /cgi-bin/user/Config.cgi with a body containing 'action=set' and a Network.NetworkShare parameter value that includes shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
- →The exploit targets the SMB server (Network.NetworkShare) configuration function of AVTECH DGM1104 devices; monitor for unexpected outbound connections or process spawning from the device following a POST to Config.cgi. ↗
- →Detection should be deployed at both perimeter and internal network boundaries; traffic is expected over plaintext HTTP (tls_state: plaintext).
- ·Exploitation requires prior authentication; unauthenticated attackers cannot directly trigger the command injection. ↗
- ·The Snort/Suricata rule (sid:2066002) uses a URI bsize constraint of exactly 24 bytes for /cgi-bin/user/Config.cgi; ensure your IDS/IPS does not normalize or truncate the URI before matching, or the rule may miss the attack.
- ·The PCRE in the detection rule matches both URL-encoded and raw shell metacharacters; ensure the inspection engine decodes HTTP body encoding before applying the PCRE, otherwise URL-encoded variants (%3B, %0A, %60, %7C, %24) may evade detection.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS AvTech Config.cgi Network.NetworkShare Multiple Parameters Command Injection Attempt (CVE-2025-57201)
suricata·2025-12-03·CVSS 8.8
CVE-2025-57201 [HIGH] ET WEB_SPECIFIC_APPS AvTech Config.cgi Network.NetworkShare Multiple Parameters Command Injection Attempt (CVE-2025-57201)
ET WEB_SPECIFIC_APPS AvTech Config.cgi Network.NetworkShare Multiple Parameters Command Injection Attempt (CVE-2025-57201)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS AvTech Config.cgi Network.NetworkShare Multiple Parameters Command Injection Attempt (CVE-2025-57201)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:24; content:"/cgi-bin/user/Config.cgi"; fast_pattern; http.request_body; content:"action|3d|set"; pcre:"/Network\x2eNetworkShare\x2e.*\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,xchg-rax-rax.github.io/2025/10/13/avtech_vulnerabilites.html; reference:cve,2025-57201; classtype:attempted-admin; sid:2066002; rev:1; metadata:affected_product AvTech, attack_target Netw
No public exploits indexed.
No writeups or analysis indexed.
2025-12-03
Published