Buffer Overflow in Upload Page (CVE-2025-64053) Summary A buffer overflow vulnerability in Fanvil x210 devices was found during an analysis of the latest firmware version . The request does not properly handle the length of the POST parameter , allowing attackers with access to the web interface to cause a denial of service or potentially execute arbitrary commands. Affected Products Fanvil x210 V2, firmware V2.12.20 Details The POST parameter is obtained from a dropdown menu on the Upload File page and is easily editable. This parameter is sent to the path, which does not check the length of the payload, allowing at least 704 characters to cause a denial of service. Proof of Concept Additional Information The issue is fixed in firmware version 2.12.22.2. Credits Spike Reply Cybersecurity Team Disclosure Timeline 01/03/2025: Vulnerability discovered 04/03/2025: Initial contact with vendor 06/03/2025: Technical details shared with vendor 25/04/2025: Disclosure date agreed with vendor (June 6, 2025) 14/05/2025: Vendor reports inability to reproduce the issue 06/06/2025: Team retesting on firmware v2.12.22.2 09/06/2025: Vendor investigates web server changes 25/06/2025: Follow-up request by team 07/07/2025: Another follow-up request 16/07/2025: New disclosure date set (July 28, 2025) 25/11/2025: Disclosure