CVE-2025-26056 PoC — Infinxt iEdge 100 安全漏洞

Source

https://github.com/rohan-pt/CVE-2025-26056

Associated Vulnerability

Title:Infinxt iEdge 100 安全漏洞 (CVE-2025-26056)
Description:A command injection vulnerability exists in the Infinxt iEdge 100 2.1.32 in the Troubleshoot module "MTR" functionality. The vulnerability is due to improper validation of user-supplied input in the mtrIp parameter. An attacker can exploit this flaw to execute arbitrary operating system commands on the underlying system with the same privileges as the web application process.

Readme

# CVE-2025-26056

# Auhtor: Rohan Deshpande

# OS Command Injection

# Summary 
OS command injection is a security vulnerability that allows an 
attacker to execute arbitrary commands on a host operating system 
via a vulnerable application. This can lead to unauthorized access, 
data breaches, and system compromise.

# Impact 
The impact of OS command injection can include unauthorized 
access to system resources, data theft, system compromise, and 
potential full control over the affected server, leading to severe 
security breaches and operational disruptions.

# Affected URL 
http://<ip>:<port>/generateMTRReport

# Recommendation 
To mitigate OS command injection vulnerabilities, validate and 
sanitize all user inputs, use parameterized commands or APIs, and 
implement least privilege principles to limit the execution context of 
applications. Regular security testing and code reviews are also 
essential to identify and remediate potential weaknesses. 

# Proof of Concept
1. Login to the console and navigate to Troubleshoot → MTR.
2. Enter IP and capture the request in burp.
3. Try to fetch ‘/etc/passwd’ file through parameter mtrIP and notice file displayed
in HTTP response.

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →