CVE-2025-44897
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on affected FW-WGS-804HPT devices by exploiting a stack overflow in the web upgrade manager. Attackers can achieve full system compromise by sending specially crafted requests to the vulnerable parameter. Only devices running version 1.305b241111 are affected.
💻 Affected Systems
- FW-WGS-804HPT
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with root privileges, allowing attackers to install persistent backdoors, pivot to internal networks, and disrupt critical infrastructure.
Likely Case
Remote code execution leading to device compromise, data exfiltration, and potential use as a foothold for lateral movement within the network.
If Mitigated
Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation prevents lateral movement.
🎯 Exploit Status
The public reference contains technical details that could facilitate exploitation. The vulnerability requires no authentication and has a straightforward exploitation path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
Check vendor website for firmware updates. If available, download the latest firmware and follow vendor's upgrade procedures.
🔧 Temporary Workarounds
Network Access Control
allRestrict access to the device's web interface using firewall rules or network segmentation.
Disable Web Interface
allIf not required, disable the web interface entirely through device configuration.
🧯 If You Can't Patch
- Isolate affected devices in a dedicated VLAN with strict egress filtering
- Implement network-based intrusion detection to monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or CLI. If version is exactly 1.305b241111, the device is vulnerable.Check Version:
Check via web interface at System > Firmware or via device-specific CLI commandsVerify Fix Applied:
Verify firmware version has been updated to a version later than 1.305b241111.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP POST requests to /web/tool/upgradeManager with large bytftp_srvip parameter values
- Device reboot or crash logs following web interface access
Network Indicators:
- HTTP traffic containing unusually long parameter values in upgrade-related requests
- Unexpected outbound connections from the device post-exploitation
SIEM Query:
source="fw-wgs-804hpt" AND (url_path="/web/tool/upgradeManager" AND method="POST" AND param_length>1000)