CVE-2025-57433

MEDIUM

2wcom IP-4c 2.15.5 - Authenticated Exposure of Sensitive Information via /cwi/ajax_request/get_data.php

Title source: llm

Description

The 2wcom IP-4c 2.15.5 device's web interface includes an information disclosure vulnerability. By sending a crafted POST request to a specific endpoint (/cwi/ajax_request/get_data.php), an authenticated attacker (even with a low-privileged account like guest) can retrieve the hashed passwords for the admin, manager, and guest accounts. This significantly weakens the system's security posture, as these hashes could be cracked offline, granting attackers administrative access to the device.

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-57433

View Exploit ZIP pw:eip

Product

https://www.2wcom.com/

Scores

CVSS v3 6.5

EPSS 0.0033

EPSS Percentile 24.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (1)

2wcom/ip-4c_firmware 2.15.5

Published Sep 22, 2025

Tracked Since Feb 18, 2026