CVE-2025-6104
📋 TL;DR
This critical vulnerability allows remote attackers to execute arbitrary operating system commands on Wifi-soft UniBox Controller systems by manipulating the 'ipaddress' parameter in the /billing/pms_check.php endpoint. Attackers can gain full control of affected systems without authentication. All users running vulnerable versions of Wifi-soft UniBox Controller are affected.
💻 Affected Systems
- Wifi-soft UniBox Controller
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install malware, steal data, pivot to other systems, or deploy ransomware across the network.
Likely Case
Initial foothold leading to lateral movement, data exfiltration, or deployment of cryptocurrency miners on vulnerable systems.
If Mitigated
Attack blocked at network perimeter or detected before significant damage occurs.
🎯 Exploit Status
Public exploit details are available in the GitHub PDF reference. The low complexity and remote unauthenticated nature make this easily weaponizable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available - vendor did not respond to disclosure
Restart Required: No
Instructions:
No official patch available. Consider workarounds or replacement if vendor remains unresponsive.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock or sanitize requests to /billing/pms_check.php containing shell metacharacters in parameters
# Example WAF rule to block suspicious patterns
# ModSecurity: SecRule ARGS:ipaddress "[;|&`$()]" "id:1001,phase:2,deny,msg:'Command injection attempt'"
# nginx: location ~ ^/billing/pms_check\.php$ { deny all; }
Network Access Control
linuxRestrict access to the vulnerable endpoint using network controls
# iptables example to block external access
iptables -A INPUT -p tcp --dport 80 -m string --string "/billing/pms_check.php" --algo bm -j DROP
# Or block entire billing directory
iptables -A INPUT -p tcp --dport 80 -m string --string "/billing/" --algo bm -j DROP
🧯 If You Can't Patch
- Immediately isolate affected systems from internet and critical internal networks
- Implement strict network segmentation and monitor all traffic to/from vulnerable systems
🔍 How to Verify
Check if Vulnerable:
Test if /billing/pms_check.php endpoint accepts ipaddress parameter with shell metacharacters (e.g., curl 'http://target/billing/pms_check.php?ipaddress=127.0.0.1;id')Check Version:
Check controller web interface or configuration files for version information (typically in admin panel or /version endpoint)Verify Fix Applied:
Verify that command injection attempts no longer execute and return appropriate error messages📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /billing/pms_check.php containing shell metacharacters (;, |, &, `, $, (, )) in parameters
- Unusual process execution from web server user (www-data, apache, nginx)
- Outbound connections from web server to unexpected destinations
Network Indicators:
- HTTP requests with command injection patterns in URL parameters
- Sudden increase in outbound traffic from controller system
- Connections to known malicious IPs or command-and-control servers
SIEM Query:
source="web_logs" AND uri_path="/billing/pms_check.php" AND (query_string="*;*" OR query_string="*|*" OR query_string="*&*" OR query_string="*`*" OR query_string="*$(*")