Login Sign Up

CVE-2025-64057

8.3 HIGH

📋 TL;DR

An unauthenticated directory traversal vulnerability in Fanvil x210 V2 IP phones allows attackers on the local network to write files to arbitrary locations. This could lead to system configuration changes or other impacts. Only systems running the vulnerable firmware version are affected.

💻 Affected Systems

Products:
  • Fanvil x210 V2
Versions: 2.12.20
Operating Systems: Embedded phone firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects devices with this specific firmware version. Requires attacker access to local network segment containing the phone.

📦 What is this software?

X210 Firmware by Fanvil

View all CVEs affecting X210 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could overwrite critical system files, modify configuration to enable persistent backdoors, or potentially achieve remote code execution by writing malicious scripts to executable locations.

🟠

Likely Case

Attackers modify phone configuration to redirect calls, enable unauthorized features, or disrupt phone functionality. Could be used as initial foothold for lateral movement.

🟢

If Mitigated

With proper network segmentation and access controls, impact limited to phone functionality disruption within isolated VLAN.

🌐 Internet-Facing: LOW - Vulnerability requires local network access according to description.
🏢 Internal Only: HIGH - Unauthenticated exploitation from local network with potential system modification.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Directory traversal vulnerabilities typically have low exploitation complexity. No public exploit code mentioned in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://fanvil.com

Restart Required: Yes

Instructions:

1. Check Fanvil website for firmware updates. 2. Download latest firmware. 3. Upload to phone via web interface. 4. Reboot phone after update.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate IP phones on separate VLAN to limit attack surface

Access Control Lists

all

Implement network ACLs to restrict access to phone management interfaces

🧯 If You Can't Patch

  • Segment IP phones onto isolated VLAN with strict firewall rules
  • Monitor network traffic to/from phones for unusual file transfer patterns

🔍 How to Verify

Check if Vulnerable:

Check firmware version in phone web interface: System > Status > Version. If version is 2.12.20, device is vulnerable.

Check Version:

Not applicable - check via web interface or phone display

Verify Fix Applied:

After firmware update, verify version is no longer 2.12.20. Test file upload functionality with traversal payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file write operations in system logs
  • Multiple failed authentication attempts followed by file uploads

Network Indicators:

  • HTTP POST requests with directory traversal sequences (../) to phone IP
  • Unusual outbound connections from phone after file upload

SIEM Query:

source_ip=phone_ip AND (http_uri CONTAINS "../" OR http_method="POST" AND http_content_type="multipart/form-data")

📊 Metadata

CVE ID: CVE-2025-64057
CVSS v3 Score: 8.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
CWE: CWE-22
EPSS Score: 0.1% exploit probability (27.3th percentile)
Published: December 5, 2025
Last Updated: January 9, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64057, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)