Overview
A critical directory traversal vulnerability, identified as CVE-2025-64057, has been discovered in Fanvil x210 V2 devices running firmware version 2.12.20. This vulnerability allows unauthenticated attackers on the local network to write files to arbitrary locations on the device’s file system.
Technical Details
The directory traversal vulnerability exists due to insufficient input validation when handling file paths. An attacker can exploit this by crafting a malicious request that includes directory traversal sequences (e.g., “../”) to navigate outside of the intended directory and write files to sensitive system locations. This can be achieved without authentication, provided the attacker is on the same local network as the vulnerable Fanvil device.
Specifically, the vulnerability allows the attacker to manipulate the destination path of file uploads or writes. By carefully constructing the path, they can overwrite existing system files or create new ones in locations that could lead to privilege escalation or system compromise.
CVSS Analysis
Currently, a CVSS score is not available (N/A) for CVE-2025-64057. However, the potential impact suggests a high level of severity. A low attack complexity combined with the ability to write arbitrary files to the system could lead to a significant CVSS score upon evaluation. The attack vector is limited to the local network.
Possible Impact
The successful exploitation of this vulnerability can lead to severe consequences, including:
- System Configuration Modification: Attackers can modify critical system configuration files, potentially altering the device’s behavior.
- Arbitrary Code Execution: Writing malicious executable files to specific locations could allow attackers to execute arbitrary code on the device.
- Denial of Service (DoS): By overwriting essential system files, attackers could render the device unusable.
- Information Disclosure: Attackers might be able to access sensitive information stored on the device.
Mitigation and Patch Steps
Currently, no official patch is available from Fanvil. However, the following mitigation steps are recommended:
- Network Segmentation: Isolate Fanvil x210 V2 devices on a separate network segment to limit the potential impact of a successful exploit.
- Access Control Lists (ACLs): Implement ACLs on network devices to restrict access to the Fanvil x210 V2 device from untrusted sources.
- Monitor Network Traffic: Monitor network traffic for suspicious activity, such as attempts to access unusual file paths.
- Disable Unnecessary Services: Disable any unnecessary services running on the Fanvil x210 V2 device to reduce the attack surface.
- Contact Fanvil Support: Reach out to Fanvil support for updates on a potential patch for CVE-2025-64057.
- Firmware Updates: Keep an eye out and immediately apply official firmware updates from Fanvil once available.
