CVE-2025-34023
Published: 20 June 2025
Summary
CVE-2025-34023 is a high-severity Path Traversal (CWE-22) vulnerability in Cxsecurity (inferred from references). Its CVSS base score is 8.5 (High).
Operationally, ranked in the top 16.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A path traversal vulnerability exists in the Karel IP1211 IP Phone's web management panel. The /cgi-bin/cgiServer.exx endpoint fails to properly sanitize user input to the page parameter, allowing remote authenticated attackers to access arbitrary files on the underlying system by using crafted path traversal sequences. The issue is tracked as CWE-22 and carries a CVSS 4.0 score of 8.5.
Remote authenticated attackers can exploit the flaw to read arbitrary files on the device. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC, prior to the CVE's publication on 2025-06-20.
The provided references consist of URLs that do not contain mitigation guidance or patch details for this CVE. The EPSS score reached a peak of 0.0277 from a current value of 0.0185, representing only a modest change.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-18777
Vulnerability details
A path traversal vulnerability exists in the Karel IP1211 IP Phone's web management panel. The /cgi-bin/cgiServer.exx endpoint fails to properly sanitize user input to the page parameter, allowing remote authenticated attackers to access arbitrary files on the underlying system by…
more
using crafted path traversal sequences. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.