cbcvebase.
CVE-2025-57201
published 2025-12-03

CVE-2025-57201: AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the SMB server…

PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
7.13%
93.5th percentile
AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the SMB server function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/user/Config.cgi
commandaction=set&Network.NetworkShare.<param>=<value>[;|\n|`||$]
  • Look for HTTP POST requests to /cgi-bin/user/Config.cgi with a body containing 'action=set' and a Network.NetworkShare parameter value that includes shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
  • The exploit targets the SMB server (Network.NetworkShare) configuration function of AVTECH DGM1104 devices; monitor for unexpected outbound connections or process spawning from the device following a POST to Config.cgi.
  • Detection should be deployed at both perimeter and internal network boundaries; traffic is expected over plaintext HTTP (tls_state: plaintext).
  • ·Exploitation requires prior authentication; unauthenticated attackers cannot directly trigger the command injection.
  • ·The Snort/Suricata rule (sid:2066002) uses a URI bsize constraint of exactly 24 bytes for /cgi-bin/user/Config.cgi; ensure your IDS/IPS does not normalize or truncate the URI before matching, or the rule may miss the attack.
  • ·The PCRE in the detection rule matches both URL-encoded and raw shell metacharacters; ensure the inspection engine decodes HTTP body encoding before applying the PCRE, otherwise URL-encoded variants (%3B, %0A, %60, %7C, %24) may evade detection.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.