Author: Ameeba

CVE-2025-44658: Serious PHP-FPM Misconfiguration Vulnerability in Netgear RAX30
Overview

The vulnerability CVE-2025-44658 is a serious threat affecting Netgear RAX30 routers running the version V1.0.10.94. This vulnerability arises due to an oversight in the PHP-FPM settings that do not follow the specification to limit FPM usage solely to .php extensions. This flaw can be leveraged by an attacker to upload and execute malicious scripts with alternate extensions, undermining security protocols based on file extension filtering. The implications are substantial, ranging from remote code execution to potential full-system compromise. Everyone running the affected version of Netgear RAX30 must be aware of this vulnerability and its potential implications.

Vulnerability Summary

CVE ID: CVE-2025-44658
Severity: Critical (CVSS: 9.8)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Remote code execution, information disclosure, potential full system compromise

Affected Products

Product | Affected Versions

Netgear RAX30 | V1.0.10.94

How the Exploit Works

An attacker exploiting this vulnerability would first identify a target system running the vulnerable version of Netgear RAX30. The attacker then creates a malicious script, disguising it with a non-.php extension to bypass the file extension filter. This malicious script is then uploaded to the target system, possibly using an exposed web service. Due to the misconfiguration in PHP-FPM settings, the web server executes these scripts as though they were PHP, allowing the attacker to execute arbitrary code, disclose sensitive information, or even compromise the entire system.

Conceptual Example Code

Here’s a conceptual example of an HTTP POST request to upload a malicious script to the target system:
```
POST /upload_file HTTP/1.1
Host: target.example.com
Content-Type: application/octet-stream
Content-Disposition: form-data; name="file"; filename="exploit.jpg"
{ binary data }
```
In this example, `exploit.jpg` is a malicious script disguised as an image file. Once uploaded, due to the PHP-FPM misconfiguration, it could be executed as a PHP script, leading to potential remote code execution or full system compromise.
Please note that this example is purely conceptual and does not represent an actual exploit. It’s provided to help understand how the vulnerability might be exploited and emphasizes the importance of taking appropriate mitigation steps.
July 27, 2025
CVE-2025-44655: Unauthorized Access and Privilege Escalation in TOTOLink Routers
Overview

The Common Vulnerabilities and Exposures (CVE) system has identified a critical security flaw in certain TOTOLink routers, referenced as CVE-2025-44655. This vulnerability arises due to an insecure configuration setting in the vsftpd.conf file. As it stands, organizations and individuals using the affected routers are at a significant risk of unauthorized access to system files, privilege escalation, or the use of the compromised server as a pivot point for internal network attacks. This blog post delves into the specifics of CVE-2025-44655, its potential impacts, and how affected users can mitigate these risks.

Vulnerability Summary

CVE ID: CVE-2025-44655
Severity: Critical (9.8)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Unauthorized access to system files, privilege escalation, potential system compromise or data leakage

Affected Products

Product | Affected Versions

TOTOLink A7100RU | V7.4
TOTOLink A950RG | V5.9
TOTOLink T10 | V5.9

How the Exploit Works

The exploitation of this vulnerability is rooted in the enabled “chroot_local_user” option in the “vsftpd.conf” file. When enabled, this option allows for an unauthorized FTP client to access the root directory of the server. An attacker can leverage this configuration flaw to gain unauthorized access to system files or escalate privileges. Furthermore, a compromised server can be used as a launchpad for additional internal network attacks.

Conceptual Example Code

Here is a conceptual example of how an attacker might exploit the vulnerability using an FTP client:
```
ftp> open target.example.com
Connected to target.example.com.
220 Welcome to TOTOLink FTP service.
Name (target.example.com:attacker): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd ..
250 Directory successfully changed.
ftp> get vsftpd.conf
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for vsftpd.conf (1234 bytes).
226 Transfer complete.
ftp> quit
221 Goodbye.
```
In this example, the attacker is able to log in as an anonymous user and navigate to the root directory to obtain the “vsftpd.conf” file. This file can then be analyzed to gain valuable information about the server’s configuration and potentially exploit further vulnerabilities.

Mitigation Guidance

The primary mitigation strategy for this vulnerability is to apply the vendor’s patch as soon as it becomes available. In the interim, organizations are advised to employ a Web Application Firewall (WAF) or an Intrusion Detection System (IDS) as temporary mitigation measures against potential exploits. Additionally, organizations can manually disable the “chroot_local_user” option in the “vsftpd.conf” file to prevent unauthorized access to the root directory. It is crucial to remember to monitor system logs to detect any suspicious activity continually.
July 27, 2025
CVE-2025-46122: Arbitrary Command Execution Vulnerability in CommScope Ruckus Unleashed
Overview

CVE-2025-46122 is a critical security vulnerability discovered in CommScope Ruckus Unleashed, a popular network management software suite. The vulnerability lies in an authenticated diagnostics API endpoint which, if exploited, could allow an attacker to execute arbitrary commands as root on the targeted system. The severity of this vulnerability is underscored by a high CVSS score of 9.1, indicating a significant risk of system compromise or data leakage. Given the widespread use of CommScope Ruckus Unleashed in enterprise environments, addressing this vulnerability should be a high priority for system administrators.

Vulnerability Summary

CVE ID: CVE-2025-46122
Severity: Critical (9.1)
Attack Vector: Network
Privileges Required: Low
User Interaction: None
Impact: Potential system compromise or data leakage

Affected Products

Product | Affected Versions

CommScope Ruckus Unleashed | Prior to 200.15.6.212.14 and 200.17.7.0.139

How the Exploit Works

The exploit takes advantage of an insecure diagnostics API endpoint (`/admin/_cmdstat.jsp`). This endpoint fails to perform adequate validation of input, allowing attacker-controlled input to be passed directly to the shell. An attacker can specify a target by MAC address and execute arbitrary commands with root-level privileges.

Conceptual Example Code

An example of how an attacker might exploit this vulnerability is illustrated below. This is a hypothetical HTTP POST request to the vulnerable endpoint, passing a malicious command in the “cmd” parameter:
```
POST /admin/_cmdstat.jsp HTTP/1.1
Host: target.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer [token]
mac=00:11:22:33:44:55&cmd=;rm -rf /
```
In this example, the attacker is targeting a device with the MAC address `00:11:22:33:44:55` and attempts to execute a malicious command (`rm -rf /`) that deletes all files on the system.

Recommended Mitigation Steps

Users of affected versions of CommScope Ruckus Unleashed should apply the vendor-provided patch immediately. If this is not possible, a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can be used as a temporary mitigation measure. However, these should not be seen as long-term solutions, as they may not fully protect against all potential exploits of this vulnerability.
July 27, 2025
CVE-2025-46121: Arbitrary Code Execution Vulnerability in CommScope Ruckus Unleashed
Overview

This blog post provides a comprehensive analysis of a critical vulnerability in CommScope Ruckus Unleashed systems, identified as CVE-2025-46121. This vulnerability poses a severe threat to organizations utilizing the affected software versions, as it allows remote attackers to execute arbitrary code on the system controller. This vulnerability is significant due to the potential for system compromise or data leakage, which could lead to devastating consequences including loss of sensitive data, disruption of operations, and reputational damage.

Vulnerability Summary

CVE ID: CVE-2025-46121
Severity: Critical (9.8 CVSS)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise, data leakage

Affected Products

Product | Affected Versions

CommScope Ruckus Unleashed | Prior to 200.15.6.212.14 and 200.17.7.0.139

How the Exploit Works

The vulnerability resides in the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` of CommScope Ruckus Unleashed, where a client hostname is passed directly to snprintf as the format string. An attacker can exploit this flaw in two ways. First, a crafted request can be sent to the authenticated endpoint `/admin/_conf.jsp`. Alternatively, the attacker can spoof the MAC address of a favourite station and include malicious format specifiers in the DHCP hostname field. Both methods lead to unauthenticated format-string processing and potential arbitrary code execution on the controller.

Conceptual Example Code

In the following conceptual example, an HTTP request is sent to the vulnerable endpoint with a malicious hostname containing format specifiers. This could be used to manipulate memory and execute arbitrary code on the vulnerable system.
```
POST /admin/_conf.jsp HTTP/1.1
Host: target.example.com
Content-Type: application/json
{ "hostname": "%n%n%n%n" }
```
Impact

A successful exploit of this vulnerability can lead to complete system compromise or data leakage. The attacker could potentially gain full control over the affected system, manipulate data, disrupt operations, or even use the compromised system as a launch pad for further attacks within the network.

Mitigation

To address this vulnerability, users are advised to apply the vendor patch as soon as possible. Until the patch can be applied, a Web Application Firewall (WAF) or Intrusion Detection System (IDS) may be used as temporary mitigation. This should, however, not be considered a long-term solution due to the high risk associated with this vulnerability. It’s crucial to keep systems up-to-date and follow best security practices to minimize exposure to such threats.
July 27, 2025
CVE-2025-46120: Critical Path-Traversal Flaw in Ruckus Wireless Controllers
Overview

The cybersecurity world is once again abuzz with a freshly discovered vulnerability, CVE-2025-46120, that plagues CommScope Ruckus Unleashed and ZoneDirector platforms. This critical vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the controller, potentially leading to system compromise and data leakage.
The severity of this vulnerability is not to be underestimated since it affects a wide range of enterprise-grade wireless systems. These devices are often used in environments where network security is paramount, such as commercial businesses, government facilities, and educational institutions. With the ability to exploit this vulnerability, attackers could potentially disrupt the operations of these organizations, leading to significant data and financial losses.

Vulnerability Summary

CVE ID: CVE-2025-46120
Severity: Critical (9.8/10 on the CVSS scale)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise, Data leakage

Affected Products

Product | Affected Versions

CommScope Ruckus Unleashed | Prior to 200.15.6.212.27 and 200.18.7.1.323
Ruckus ZoneDirector | Prior to 10.5.1.0.282

How the Exploit Works

The vulnerability lies within the web interface of the affected Ruckus platforms. Specifically, a path-traversal flaw allows the server to execute attacker-supplied EJS templates outside of the permitted directories. An attacker can upload a malicious template, for example, via FTP, to the server. Once uploaded, the server can be tricked into executing this template, which could contain arbitrary code, leading to privilege escalation and potential system compromise.

Conceptual Example Code

A conceptual example of how this vulnerability might be exploited is given below:
```
ftp target.example.com
Name (target.example.com:attacker): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put malicious.ejs /path/to/vulnerable/directory
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
ftp> bye
221 Goodbye.
```
In this example, an attacker anonymously logs into the FTP server of the target device and uploads a malicious EJS template (`malicious.ejs`) to a vulnerable directory on the server. The server, due to the path-traversal flaw, can then execute the malicious template, leading to a potential system compromise.
July 27, 2025
CVE-2025-7382: Pre-Auth Code Execution Vulnerability in Sophos Firewall WebAdmin
Overview

The CVE-2025-7382 is a high-risk vulnerability that affects the WebAdmin interface of Sophos Firewall versions older than 21.0 MR2 (21.0.2). This command injection vulnerability poses a serious threat to organizations as it allows adjacent attackers to execute arbitrary code on High Availability (HA) auxiliary devices without needing to authenticate first, provided OTP authentication for the admin user is enabled. As such, it’s crucial for network administrators and cybersecurity professionals to understand the implications of this vulnerability and how to mitigate its potential impact.

Vulnerability Summary

CVE ID: CVE-2025-7382
Severity: High (8.8)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Potential system compromise or data leakage

Affected Products

Product | Affected Versions

Sophos Firewall | Older than 21.0 MR2 (21.0.2)

How the Exploit Works

The exploit takes advantage of a command injection weakness in the WebAdmin interface of older Sophos Firewall versions. Attackers can craft malicious inputs that are interpreted as part of the command to be executed by the system. When these inputs are processed, the system executes the attacker’s code, hence achieving pre-auth code execution on HA auxiliary devices.

Conceptual Example Code

A conceptual example of exploiting this vulnerability could involve sending a malicious HTTP POST request to a vulnerable endpoint, as illustrated below:
```
POST /WebAdmin/endpoint HTTP/1.1
Host: target.example.com
Content-Type: application/json
{ "malicious_command": "rm -rf /*" }
```
In this example, if the malicious_command payload is processed by the system, it could potentially delete all files, leading to a system compromise.

Mitigation

The most effective way to mitigate the impact of CVE-2025-7382 is to apply the vendor-provided patch, which upgrades the Sophos Firewall to a version where this vulnerability is fixed (21.0 MR2 or later). In case applying the patch is not immediately feasible, using a Web Application Firewall (WAF) or an Intrusion Detection System (IDS) can serve as temporary mitigation measures, preventing the execution of malicious commands. Regular monitoring and updating of system components and applications is a best practice that can help prevent future vulnerabilities.
July 27, 2025
CVE-2025-46117: Exploitation of Hidden Debug Script in Ruckus Unleashed and ZoneDirector
Overview

The cybersecurity world has been rattled by a recently discovered vulnerability, CVE-2025-46117. This vulnerability affects CommScope Ruckus Unleashed and Ruckus ZoneDirector, popular solutions for network management and wireless access control. What makes this vulnerability particularly concerning is its severity, scored at a whopping 9.1 out of 10, and the fact that it allows an authenticated attacker to execute arbitrary commands as root on the controller or specified target. This could potentially lead to a system compromise or data leakage.

Vulnerability Summary

CVE ID: CVE-2025-46117
Severity: Critical (9.1 CVSS Score)
Attack Vector: Network
Privileges Required: Low
User Interaction: Required
Impact: System compromise or data leakage

Affected Products

Product | Affected Versions

CommScope Ruckus Unleashed | Versions prior to 200.15.6.212.14 and 200.17.7.0.139
Ruckus ZoneDirector | Versions prior to 10.5.1.0.279

How the Exploit Works

The crux of this exploit lies in the `.ap_debug.sh` hidden debug script. Under normal circumstances, this script is invoked from the restricted CLI. However, due to a failure to properly sanitize its input, it’s possible for an authenticated attacker to exploit this vulnerability and execute arbitrary commands as root on the controller or specified target. This could lead to devastating consequences, such as data leakage or a complete system compromise.

Conceptual Example Code

Below is a conceptual example of how this vulnerability might be exploited:
```
$ ssh user@target-system
password: 
<strong></strong>

<strong></strong>

$ .ap_debug.sh; arbitrary_command
```
In this example, an attacker, who has already gained authentication, uses the `.ap_debug.sh` script and appends their arbitrary command after the semi-colon. This command would be executed with root privileges, allowing the attacker to compromise the system or leak data.

Mitigation and Recommendations

Given the severity of this vulnerability, immediate action is necessary. Users of the affected products are advised to apply the vendor patch as soon as possible. Versions 200.15.6.212.14 for Ruckus Unleashed and 10.5.1.0.279 for Ruckus ZoneDirector have addressed this vulnerability.
For those who cannot immediately apply the patch, using a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can serve as a temporary mitigation measure. However, these are not foolproof solutions and can only lessen the risk, not eliminate it. As such, applying the official patch remains the most recommended course of action.
Stay vigilant and updated to protect your systems better.
July 27, 2025
CVE-2025-7624: Critical SQL Injection Vulnerability in Sophos Firewall’s Legacy SMTP Proxy
Overview

In the ongoing struggle to keep our digital environments secure, cybersecurity professionals continually discover new vulnerabilities that can potentially compromise system security. One such vulnerability, recently marked as CVE-2025-7624, affects the legacy SMTP proxy of Sophos Firewall versions older than 21.0 MR2 (21.0.2). The vulnerability is particularly severe as it can lead to remote code execution if a quarantining policy is active for Email and SFOS was upgraded from a version older than 21.0 GA.
This vulnerability is a grave concern for any organization using the affected Sophos Firewall versions, as it poses a significant risk of system compromise or data leakage. It is of utmost importance to understand this vulnerability and take the necessary steps to mitigate its potential impact.

Vulnerability Summary

CVE ID: CVE-2025-7624
Severity: Critical (9.8 CVSS Score)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise or data leakage upon successful exploitation

Affected Products

Product | Affected Versions

Sophos Firewall | Versions older than 21.0 MR2 (21.0.2)

How the Exploit Works

The exploit takes advantage of an SQL injection vulnerability in the legacy SMTP proxy of the affected Sophos Firewall versions. An attacker could craft a malicious SQL query to trick the system into executing arbitrary SQL commands. When successful, this could lead to remote code execution, potentially giving the attacker full control over the compromised system. This is particularly dangerous if a quarantining policy is active for Email and SFOS was upgraded from a version older than 21.0 GA.

Conceptual Example Code

Here is a conceptual example of how the vulnerability might be exploited. This is a sample HTTP request, demonstrating how an attacker could inject malicious SQL commands into the system.
```
POST /smtp_proxy/endpoint HTTP/1.1
Host: target.example.com
Content-Type: application/json
{ "email": "admin'; DROP TABLE users; --" }
```
In this example, the attacker is attempting to trick the system into executing the SQL command `DROP TABLE users;` after the legitimate command `admin`. If successful, this would delete the entire ‘users’ database table, potentially causing significant damage.

Mitigation Guidance

Users are advised to apply the vendor patch as soon as possible to mitigate the risk of this vulnerability. If this is not immediately possible, users can use a Web Application Firewall (WAF) or Intrusion Detection System (IDS) as a temporary mitigation measure, which can help monitor and block potential SQL injection attempts.
July 27, 2025
CVE-2025-6704: Arbitrary File Writing Vulnerability in Secure PDF eXchange (SPX) of Sophos Firewall
Overview

CVE-2025-6704 is a critical vulnerability that exists in the Secure PDF eXchange (SPX) feature of Sophos Firewall. This vulnerability, if exploited, could allow an attacker to execute remote code without authentication, potentially leading to system compromise or data leakage. Users utilizing Sophos Firewall versions below 21.0 MR2 (21.0.2) that run in High Availability (HA) mode combined with a specific SPX configuration are affected. The severity of this vulnerability makes it imperative for security administrators and IT professionals to prioritize its mitigation.

Vulnerability Summary

CVE ID: CVE-2025-6704
Severity: Critical (CVSS: 9.8)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Potential system compromise or data leakage

Affected Products

Product | Affected Versions

Sophos Firewall | Versions older than 21.0 MR2 (21.0.2)

How the Exploit Works

The vulnerability lies in the SPX feature of Sophos Firewall. When the firewall runs in High Availability mode with a specific configuration of SPX enabled, it exposes an arbitrary file writing flaw. This vulnerability can be exploited by a remote attacker over the network without requiring any form of authentication or user interaction. Once exploited, this vulnerability allows the attacker to execute arbitrary code on the system, potentially leading to a system compromise or data leakage.

Conceptual Example Code

Given the nature of the vulnerability, an attacker could exploit it by sending a specifically crafted HTTP request to the vulnerable endpoint. Below is a conceptual example of what this HTTP request might look like:
```
POST /sophos/spx/vulnerable/endpoint HTTP/1.1
Host: target.example.com
Content-Type: application/json
{ "malicious_payload": "arbitrary_code_to_execute" }
```
In this example, the “malicious_payload” would contain the arbitrary code that the attacker wants to execute on the system. Once the request is processed by the server, the code is written to an arbitrary file and executed, leading to potential system compromise or data leakage.
Finally, it is important to note that this is a high-severity vulnerability which requires immediate attention. The recommended mitigation steps include applying the vendor patch or using Web Application Firewall (WAF) or Intrusion Detection System (IDS) as a temporary measure.
July 27, 2025
CVE-2025-52164: Agorum Core Open Plaintext Credential Vulnerability
Overview

The vulnerability in question, CVE-2025-52164, exists within two versions of Software GmbH’s Agorum core open v11.9.2 & v11.10.1. This vulnerability is particularly severe due to the software’s insecure storage of users’ credentials. Instead of encrypting the credentials, it stores them in plaintext, thereby exposing them to potential malicious users who manage to gain access to this data. This vulnerability is of particular concern to organizations that use these versions of Agorum core open, as it could lead to significant breaches of security and privacy.

Vulnerability Summary

CVE ID: CVE-2025-52164
Severity: High (8.2 CVSS Score)
Attack Vector: Network
Privileges Required: Low
User Interaction: Required
Impact: Potential system compromise or data leakage.

Affected Products

Product | Affected Versions

Agorum core open | v11.9.2
Agorum core open | v11.10.1

How the Exploit Works

The exploitation of this vulnerability stems from the software’s insecure method of storing user credentials. Specifically, instead of encrypting these details, it stores them in plaintext. A malicious actor who gains access to the database or any area where these credentials are stored can read and misuse them directly, leading to unauthorized access to sensitive information or the overall system.

Conceptual Example Code

Here is a conceptual example of how a malicious actor might attempt to exploit this vulnerability:
```
GET /api/credentials HTTP/1.1
Host: vulnerable-agorum.example.com
Content-Type: application/json
```
The above HTTP request attempts to access the endpoint where the plaintext credentials are stored. If the attacker has already compromised the system to a degree that allows them to send such requests, they could retrieve these credentials and use them for further malicious activities.

Mitigation and Patching

The primary mitigation strategy for this vulnerability is to apply the vendor-provided patch. Software GmbH has released patches for both affected versions of Agorum core open. Organizations using these software versions should apply these patches immediately to protect their systems.
In cases where applying the patch is not immediately possible, organizations can use a Web Application Firewall (WAF) or Intrusion Detection System (IDS) as a temporary mitigation strategy. This can help prevent unauthorized access to the vulnerable endpoint until the patch can be applied. However, this should not be seen as a long-term solution, as it does not address the root cause of the vulnerability.
July 27, 2025