CVE-2025-48045 Overview
CVE-2025-48045 is an information disclosure vulnerability in the MICI NetFax Server. An unauthenticated HTTP GET request to the /client.php endpoint returns the default administrator user credentials in the response. The flaw maps to [CWE-201: Insertion of Sensitive Information Into Sent Data] and requires no authentication, no user interaction, and no special privileges. The vendor has not released a fix according to the public Rapid7 disclosure.
Critical Impact
Any network-adjacent attacker can retrieve administrator credentials by issuing a single HTTP GET request, enabling full administrative takeover of the fax server.
Affected Products
- MICI NetFax Server (per vendor advisory in the Rapid7 Blog on CVE-2025-48045)
- Web management interface exposing the /client.php endpoint
- Deployments reachable over the network without front-end authentication
Discovery Timeline
- 2025-05-29 - Public disclosure via Rapid7 blog post covering CVE-2025-48045, CVE-2025-48046, and CVE-2025-48047
- 2025-05-29 - CVE-2025-48045 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-48045
Vulnerability Analysis
The MICI NetFax Server exposes a /client.php endpoint on its web management interface. This endpoint responds to unauthenticated HTTP GET requests with content that includes the default administrator account credentials. The issue is an information exposure flaw classified under [CWE-201], where sensitive data is returned in an HTTP response that should require authentication or omit the secret entirely.
An attacker who can reach the management interface over the network does not need credentials, browser-based interaction, or chained exploitation. A single request retrieves the credentials needed to authenticate to the administrator console. Once authenticated, the attacker controls fax routing, stored documents, system configuration, and any integrations the appliance maintains with mail or telephony infrastructure.
Root Cause
The root cause is a design flaw in the /client.php handler. The script returns sensitive configuration data, including the default administrator credentials, without performing any authentication or authorization checks. Sensitive material is treated as client-readable content rather than server-side state, violating least-privilege exposure principles.
Attack Vector
The attack vector is network-based and unauthenticated. An attacker issues an HTTP GET request to https://<target>/client.php against any reachable NetFax Server. The response body contains the default administrator credentials in clear form. The attacker then authenticates to the administrator interface and operates as a privileged user. No fix is available from the vendor at the time of disclosure, so exposed instances remain vulnerable.
Verified exploitation code is not published. Refer to the Rapid7 Blog on CVE-2025-48045 for technical context.
Detection Methods for CVE-2025-48045
Indicators of Compromise
- HTTP GET requests to /client.php from external or unexpected internal source addresses in web server access logs
- Successful administrator logins to the NetFax web console immediately following a /client.php request from the same source IP
- Configuration changes, new fax routing rules, or new user accounts created shortly after anomalous /client.php traffic
Detection Strategies
- Inspect web server and reverse proxy logs for any request matching the URI path /client.php, treating responses with HTTP 200 status as suspicious
- Correlate /client.php requests against subsequent authenticated administrative sessions from the same client IP within a short time window
- Deploy network IDS signatures that flag GET requests to /client.php on hosts identified as MICI NetFax Servers
Monitoring Recommendations
- Forward NetFax Server access logs and authentication logs to a centralized SIEM for retention and correlation
- Alert on any administrator authentication originating from outside an approved management subnet
- Baseline normal administrator activity and trigger detections on out-of-hours configuration changes or credential modifications
How to Mitigate CVE-2025-48045
Immediate Actions Required
- Remove the NetFax Server web management interface from any internet-facing network segment until a vendor patch is available
- Restrict access to the management interface using firewall rules or an access control list that permits only trusted administrator workstations
- Rotate the administrator password immediately and verify that the new credential is not echoed by /client.php
- Audit logs for prior unauthenticated requests to /client.php and treat matching source addresses as potentially compromised
Patch Information
No vendor patch is available at the time of disclosure. The Rapid7 advisory title indicates the MICI NetFax Server vulnerabilities are not fixed. Monitor vendor channels and the Rapid7 Blog on CVE-2025-48045 for updates and apply fixes as soon as they are released.
Workarounds
- Place the NetFax Server behind a reverse proxy that requires client certificate authentication before passing requests to /client.php
- Use web application firewall rules to block or return HTTP 403 for any request to the /client.php URI
- Segment the NetFax Server onto a dedicated management VLAN with strict ingress filtering
- If the appliance is not in active use, power it down or remove it from the network until a vendor fix is released
# Example WAF rule (ModSecurity) to block requests to the vulnerable endpoint
SecRule REQUEST_URI "@streq /client.php" \
"id:1004845,\
phase:1,\
deny,\
status:403,\
log,\
msg:'Blocked access to MICI NetFax /client.php (CVE-2025-48045)'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
