CVE-2025-34023

HIGH EXPLOITED NUCLEI

Karel IP Phone IP1211 - Authenticated Path Traversal via CGI Server Page Parameter

Title source: llm

Exploitation Summary

CVE-2025-34023 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including berat isler. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a directory traversal vulnerability in the Karel IP1211 IP Phone Web Management Panel. It allows authenticated users to access sensitive files like /etc/passwd and /etc/shadow via the 'cgiServer.exx?page=' parameter.

Description

A path traversal vulnerability exists in the Karel IP1211 IP Phone's web management panel. The /cgi-bin/cgiServer.exx endpoint fails to properly sanitize user input to the page parameter, allowing remote authenticated attackers to access arbitrary files on the underlying system by using crafted path traversal sequences. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC.

Exploits (1)

exploitdb WORKING POC

by berat isler · textwebappshardware

https://www.exploit-db.com/exploits/48857

View Code ZIP pw:eip

This exploit demonstrates a directory traversal vulnerability in the Karel IP1211 IP Phone Web Management Panel. It allows authenticated users to access sensitive files like /etc/passwd and /etc/shadow via the 'cgiServer.exx?page=' parameter.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Karel IP1211 IP Phone Web Management Panel

Auth required

Prerequisites: Default credentials (admin:admin) · Network access to the device

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Karel IP Phone IP1211 Web Management Panel - Local File Inclusion

HIGHby 0x_Akoko

References (4)

Core 4

Core References

Various Sources product

https://web.archive.org/web/20201020023943/https://www.karel.com.tr/urun-cozum/ip1211-ip-telefon

Exploit, Third Party Advisory third-party-advisory exploit

https://www.exploit-db.com/exploits/48857

Issue Tracking third-party-advisory exploit

https://cxsecurity.com/issue/WLB-2020100038

Third Party Advisory third-party-advisory

https://vulncheck.com/advisories/selea-targa-ip-camera-path-traversal

Scores

CVSS v4 8.5

EPSS 0.0185

EPSS Percentile 83.5%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

VulnCheck KEV 2025-06-20

CWE

CWE-22

Status published

Products (1)

Karel/Karel IP Phone IP1211

Published Jun 20, 2025

Tracked Since Feb 18, 2026