CVE-2025-15082
MEDIUMTOZED ZLT M30s <= 1.47 - Information Disclosure via goformId Parameter
Title source: llmDescription
A vulnerability was found in TOZED ZLT M30s up to 1.47. Impacted is an unknown function of the file /reqproc/proc_post of the component Web Management Interface. Performing manipulation of the argument goformId results in information disclosure. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry
technical-description
https://vuldb.com/?id.338410
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.338410
Third Party Advisory, VDB Entry third-party-advisory
https://vuldb.com/?submit.707306
Exploit, Third Party Advisory related
https://www.hacklab.eu.org/blogs/zlt_m30s_information_disclosure
Exploit exploit
media-coverage
https://youtu.be/u_H29UdiPOc
Scores
CVSS v3
5.3
EPSS
0.0064
EPSS Percentile
45.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
CWE-284
Status
published
Products (1)
gztozed/zlt_m30s_firmware
< 1.47
Published
Dec 25, 2025
Tracked Since
Feb 18, 2026