Login Sign Up

CVE-2025-15082

5.3 MEDIUM

📋 TL;DR

This vulnerability in TOZED ZLT M30s routers allows remote attackers to disclose sensitive information by manipulating the 'goformId' parameter in the web management interface. Attackers can exploit this without authentication to access potentially confidential data. All users of affected ZLT M30s routers are at risk.

💻 Affected Systems

Products:
  • TOZED ZLT M30s
Versions: Up to version 1.47
Operating Systems: Embedded router OS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface component specifically through the /reqproc/proc_post endpoint.

📦 What is this software?

Zlt M30s Firmware by Gztozed

View all CVEs affecting Zlt M30s Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router configuration, credentials, or network information leading to further attacks on internal networks.

🟠

Likely Case

Disclosure of router configuration details, network settings, or other sensitive information that could aid attackers in reconnaissance.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details and proof-of-concept are publicly available on multiple platforms including YouTube and security blogs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor was contacted but did not respond. Consider workarounds or replacement.

🔧 Temporary Workarounds

Disable Web Management Interface

all

Disable the vulnerable web interface to prevent exploitation

Router-specific commands vary; check device documentation for disabling web interface

Restrict Network Access

linux

Block external access to router management interface

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

  • Segment affected routers in isolated network zones
  • Implement strict firewall rules to block all external access to management interfaces

🔍 How to Verify

Check if Vulnerable:

Test if /reqproc/proc_post endpoint responds to manipulated goformId parameter requests

Check Version:

Check router web interface or use telnet/ssh to query firmware version

Verify Fix Applied:

Verify web interface is disabled or inaccessible from untrusted networks

📡 Detection & Monitoring

Log Indicators:

  • Unusual requests to /reqproc/proc_post with manipulated parameters
  • Multiple failed authentication attempts followed by information disclosure requests

Network Indicators:

  • External IP addresses accessing router management ports
  • Unusual traffic patterns to /reqproc/proc_post endpoint

SIEM Query:

source_ip=external AND dest_port IN (80,443) AND uri_path="/reqproc/proc_post" AND query_string CONTAINS "goformId"

📊 Metadata

CVE ID: CVE-2025-15082
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-200
EPSS Score: 0.06% exploit probability (18.5th percentile)
Published: December 25, 2025
Last Updated: January 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15082, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)