CVE-2025-43928 – Infodraw Media Relay Service 7.1.0.0 contains a... (How to Fix)

Q: What is the severity of CVE-2025-43928?

CVE-2025-43928 has a CVSS score of 5.8 (MEDIUM). Infodraw Media Relay Service 7.1.0.0 contains a path traversal vulnerability in its web server on port 12654. Attackers can read arbitrary files, including ServerParameters.xml which may contain administrator credentials in cleartext or MD5 hashes. Organizations using Infodraw MRS 7.1.0.0 are affected.

📋 TL;DR

Infodraw Media Relay Service 7.1.0.0 contains a path traversal vulnerability in its web server on port 12654. Attackers can read arbitrary files, including ServerParameters.xml which may contain administrator credentials in cleartext or MD5 hashes. Organizations using Infodraw MRS 7.1.0.0 are affected.

💻 Affected Systems

Products:

Infodraw Media Relay Service (MRS)

Versions: 7.1.0.0

Operating Systems: Windows (likely, based on typical deployment)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the default web server configuration on port 12654. The ServerParameters.xml file specifically contains sensitive credentials.

📦 What is this software?

Pmrs 102 Firmware by Infodraw

View all CVEs affecting Pmrs 102 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via credential theft leading to unauthorized access, data exfiltration, or lateral movement within the network.

🟠

Likely Case

Administrative credential disclosure allowing unauthorized access to the MRS system and potentially connected surveillance infrastructure.

🟢

If Mitigated

Limited information disclosure if credentials are properly secured with strong hashing and file permissions restrict sensitive data access.

🌐 Internet-Facing: HIGH if the service is exposed to the internet, as exploitation requires no authentication and is technically simple.

🏢 Internal Only: MEDIUM for internal networks, as attackers would need internal access but could still exploit the vulnerability easily once inside.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation involves simple HTTP requests with directory traversal sequences in the username parameter. Public research presentations demonstrate the technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Contact Infodraw for updated version information and security patches.

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to port 12654/TCP using firewall rules to only trusted IP addresses.

# Windows Firewall: New-NetFirewallRule -DisplayName "Block MRS Port" -Direction Inbound -LocalPort 12654 -Protocol TCP -Action Block
# Linux iptables: iptables -A INPUT -p tcp --dport 12654 -j DROP

File Permission Hardening

all

Set restrictive permissions on ServerParameters.xml and other sensitive files to prevent unauthorized reading.

# Windows: icacls "C:\Path\To\ServerParameters.xml" /deny Everyone:(R)
# Linux: chmod 600 /path/to/ServerParameters.xml

🧯 If You Can't Patch

Isolate the MRS server in a dedicated network segment with strict firewall rules limiting inbound/outbound connections.
Implement application-level monitoring for suspicious file access patterns on port 12654 and alert on directory traversal attempts.

🔍 How to Verify

Check if Vulnerable:

Send an HTTP request to http://[target]:12654 with a username parameter containing directory traversal sequences (e.g., ../ServerParameters.xml) and check if sensitive files are returned.

Check Version:

Check the MRS application interface or installation directory for version information (typically 7.1.0.0).

Verify Fix Applied:

Attempt the same exploitation after applying workarounds; successful requests should be blocked or return error responses.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to port 12654 containing ../ sequences in parameters
Access to ServerParameters.xml file from unexpected sources

Network Indicators:

Unusual outbound connections from the MRS server following credential theft
Traffic patterns indicating file enumeration attempts

SIEM Query:

source_port:12654 AND (http.uri:*../* OR http.param:*../*)

📊 Metadata

CVE ID: CVE-2025-43928

CVSS v3 Score: 5.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CWE: CWE-24

EPSS Score: 0.23% exploit probability (44.9th percentile)

Published: April 20, 2025

Last Updated: April 24, 2025

🔗 References

https://cfp.eh22.easterhegg.eu/eh22/talk/9UDXSE/ Not Applicable
https://mint-secure.de/path-traversal-vulnerability-in-surveillance-software/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-43928, you might also want to check these: