CVE-2025-15082
6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
Summary
A vulnerability was found in TOZED ZLT M30s up to 1.47. Impacted is an unknown function of the file /reqproc/proc_post of the component Web Management Interface. Performing manipulation of the argument goformId results in information disclosure. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| TOZED | ZLT M30s | 1.0 | affected |
| TOZED | ZLT M30s | 1.1 | affected |
| TOZED | ZLT M30s | 1.2 | affected |
| TOZED | ZLT M30s | 1.3 | affected |
| TOZED | ZLT M30s | 1.4 | affected |
| TOZED | ZLT M30s | 1.5 | affected |
| TOZED | ZLT M30s | 1.6 | affected |
| TOZED | ZLT M30s | 1.7 | affected |
| TOZED | ZLT M30s | 1.8 | affected |
| TOZED | ZLT M30s | 1.9 | affected |
| TOZED | ZLT M30s | 1.10 | affected |
| TOZED | ZLT M30s | 1.11 | affected |
| TOZED | ZLT M30s | 1.12 | affected |
| TOZED | ZLT M30s | 1.13 | affected |
| TOZED | ZLT M30s | 1.14 | affected |
| TOZED | ZLT M30s | 1.15 | affected |
| TOZED | ZLT M30s | 1.16 | affected |
| TOZED | ZLT M30s | 1.17 | affected |
| TOZED | ZLT M30s | 1.18 | affected |
| TOZED | ZLT M30s | 1.19 | affected |
| TOZED | ZLT M30s | 1.20 | affected |
| TOZED | ZLT M30s | 1.21 | affected |
| TOZED | ZLT M30s | 1.22 | affected |
| TOZED | ZLT M30s | 1.23 | affected |
| TOZED | ZLT M30s | 1.24 | affected |
| TOZED | ZLT M30s | 1.25 | affected |
| TOZED | ZLT M30s | 1.26 | affected |
| TOZED | ZLT M30s | 1.27 | affected |
| TOZED | ZLT M30s | 1.28 | affected |
| TOZED | ZLT M30s | 1.29 | affected |
| TOZED | ZLT M30s | 1.30 | affected |
| TOZED | ZLT M30s | 1.31 | affected |
| TOZED | ZLT M30s | 1.32 | affected |
| TOZED | ZLT M30s | 1.33 | affected |
| TOZED | ZLT M30s | 1.34 | affected |
| TOZED | ZLT M30s | 1.35 | affected |
| TOZED | ZLT M30s | 1.36 | affected |
| TOZED | ZLT M30s | 1.37 | affected |
| TOZED | ZLT M30s | 1.38 | affected |
| TOZED | ZLT M30s | 1.39 | affected |
| TOZED | ZLT M30s | 1.40 | affected |
| TOZED | ZLT M30s | 1.41 | affected |
| TOZED | ZLT M30s | 1.42 | affected |
| TOZED | ZLT M30s | 1.43 | affected |
| TOZED | ZLT M30s | 1.44 | affected |
| TOZED | ZLT M30s | 1.45 | affected |
| TOZED | ZLT M30s | 1.46 | affected |
| TOZED | ZLT M30s | 1.47 | affected |
Weaknesses
- CWE-200: Information Disclosure
- CWE-284: Improper Access Controls
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://vuldb.com/?id.338410
- https://vuldb.com/?ctiid.338410
- https://vuldb.com/?submit.707306
- https://www.hacklab.eu.org/blogs/zlt_m30s_information_disclosure
- https://youtu.be/u_H29UdiPOc
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.