CVE-2024-25830

CRITICAL

F-logic DataCube3 v1.0 - Unauthenticated Path Traversal via Configuration File URI

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-25830.

AI-analyzed exploit summary This exploit chain targets DataCube3 v1.0, leveraging an information disclosure vulnerability to extract root credentials and an unrestricted file upload flaw to achieve remote code execution via a PHP reverse shell. The script automates the entire process, from credential extraction to shell execution.

Description

F-logic DataCube3 v1.0 is vulnerable to Incorrect Access Control due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the configuration file. A successful exploit could allow the attacker to extract the root and admin password.

Exploits (1)

exploitdb WORKING POC
webappsphp
https://www.exploit-db.com/exploits/51868

This exploit chain targets DataCube3 v1.0, leveraging an information disclosure vulnerability to extract root credentials and an unrestricted file upload flaw to achieve remote code execution via a PHP reverse shell. The script automates the entire process, from credential extraction to shell execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: DataCube3 v1.0
No auth needed
Prerequisites: Network access to the target's web interface · Target must be running DataCube3 v1.0
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 9.8
EPSS 0.2403
EPSS Percentile 97.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-22 CWE-284
Status published
Products (1)
f-logic/datacube3_firmware 1.0
Published Feb 29, 2024
Tracked Since Feb 18, 2026