CVE-2025-30515: CyberData Intercom Auth Bypass Flaw

CVE-2025-30515 Overview

CVE-2025-30515 affects the CyberData 011209 SIP Emergency Intercom, an IP-based communications device deployed in industrial and public safety environments. The vulnerability allows an authenticated attacker to upload arbitrary files to multiple locations within the device file system. The flaw is tracked under CWE-35: Path Traversal and stems from improper restriction of file paths during upload operations.

CISA published advisory ICSA-25-155-01 covering this issue. The vulnerability impacts both the 011209 SIP Emergency Intercom hardware and its firmware.

Critical Impact

An authenticated attacker can write arbitrary files anywhere on the intercom file system, enabling persistent code execution, configuration tampering, and full device compromise in industrial control environments.

Affected Products

• CyberData 011209 SIP Emergency Intercom (hardware)
• CyberData 011209 SIP Emergency Intercom Firmware (all versions prior to the vendor fix)
• Deployments referenced in CISA ICS Advisory ICSA-25-155-01

Discovery Timeline

• 2025-06-09 - CVE-2025-30515 published to the National Vulnerability Database
• 2025-08-12 - Last updated in the NVD database

Technical Details for CVE-2025-30515

Vulnerability Analysis

The CyberData 011209 SIP Emergency Intercom exposes a web-based administrative interface for configuration, firmware updates, and audio file management. The interface accepts uploaded files but fails to validate or canonicalize destination paths supplied during the upload request. An authenticated user with access to the management interface can therefore direct file writes to arbitrary locations across the embedded Linux file system.

Because the device runs on a constrained embedded platform, an attacker who places a file in a startup directory, configuration directory, or web root can achieve persistent code execution. The intercom typically operates with elevated privileges to control hardware peripherals, amplifying the impact of any successful write.

The vulnerability has network attack reach and requires no user interaction. Confidentiality, integrity, and availability of the device are all compromised on successful exploitation.

Root Cause

The root cause is improper neutralization of path traversal sequences during file upload handling, mapped to CWE-35: Path Traversal in Shell Metacharacters. The upload handler trusts client-supplied path components without enforcing an allow-list of destination directories or rejecting .. sequences.

Attack Vector

Exploitation requires valid authentication to the device management interface. CyberData intercoms are frequently deployed with default or weak credentials, and emergency intercoms are often reachable from internal VLANs that span multiple sites. An authenticated attacker submits a crafted upload request whose filename or path field includes traversal characters or absolute paths, causing the file to land in a sensitive location such as /etc/, /www/, or a service startup directory. No exploit code is publicly available at this time, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2025-30515

Indicators of Compromise

• Unexpected files in system directories such as /etc/, /usr/local/, or the device web root following an administrative session
• Modifications to startup scripts, cron jobs, or service unit files on the intercom
• HTTP POST requests to the device upload endpoints containing .., /etc/, or absolute path strings in filename parameters
• New or unexpected outbound network connections originating from the intercom IP address

Detection Strategies

• Inspect web server access logs on the intercom for upload requests containing path traversal sequences
• Baseline the firmware file system and compare against running devices to identify unauthorized files
• Monitor management interface authentication events and correlate with subsequent upload activity
• Capture and review SIP and HTTP traffic between intercoms and management hosts using a network sensor

Monitoring Recommendations

• Forward intercom syslog output to a centralized log platform and alert on configuration changes
• Place CyberData devices on a segmented VLAN and monitor north-south traffic for anomalies
• Track firmware version inventory across all deployed intercoms to confirm patch coverage
• Alert on any administrative session originating from outside an approved management subnet

How to Mitigate CVE-2025-30515

Immediate Actions Required

• Restrict network access to the intercom management interface to a dedicated management VLAN
• Replace default and shared administrative credentials with unique, strong passwords on every device
• Audit existing devices for unauthorized files in system directories and reflash firmware if tampering is suspected
• Apply the firmware update referenced in CISA ICS Advisory ICSA-25-155-01 as soon as the vendor release is available

Patch Information

CyberData has coordinated remediation guidance with CISA. Refer to CISA ICS Advisory ICSA-25-155-01 for the current fixed firmware version and download instructions for the 011209 SIP Emergency Intercom. Verify firmware integrity using vendor-provided checksums before deployment.

Workarounds

• Block inbound access to the device HTTP and HTTPS management ports from untrusted networks at the upstream firewall
• Disable remote administration features that are not required for operational use
• Enforce IP allow-lists so that only designated management workstations can reach the intercom web interface
• Rotate administrative credentials and review user accounts to remove unused or shared logins

# Example: restrict intercom management access at an upstream firewall
# Replace INTERCOM_IP and MGMT_SUBNET with site-specific values
iptables -A FORWARD -s MGMT_SUBNET -d INTERCOM_IP -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d INTERCOM_IP -p tcp --dport 443 -j DROP
iptables -A FORWARD -d INTERCOM_IP -p tcp --dport 80  -j DROP