CVE-2025-5106 Overview
CVE-2025-5106 is an operating system (OS) command injection vulnerability in Fujian Kelixun 1.0. The flaw resides in the /app/fax/fax_view.php script, specifically within the Filename Handler component. Attackers can manipulate the fax_file parameter to inject arbitrary OS commands on the underlying server. The vulnerability is exploitable remotely without authentication or user interaction. Public exploit details have been disclosed, increasing the risk of opportunistic attacks. The vendor was contacted prior to disclosure but did not respond, leaving affected deployments without an official patch. The weakness is tracked under CWE-77 (Improper Neutralization of Special Elements used in a Command).
Critical Impact
Unauthenticated remote attackers can execute arbitrary operating system commands on Fujian Kelixun 1.0 deployments through the fax_file parameter, with no vendor patch currently available.
Affected Products
- Fujian Kelixun 1.0
- Component: Filename Handler in /app/fax/fax_view.php
- Affected parameter: fax_file
Discovery Timeline
- 2025-05-23 - CVE-2025-5106 published to the National Vulnerability Database (NVD)
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-5106
Vulnerability Analysis
The vulnerability exists in the fax_view.php script handled by the Filename Handler component of Fujian Kelixun 1.0. The application accepts a fax_file argument from user-controlled HTTP input and passes it into an OS command context without proper neutralization of shell metacharacters. This allows an attacker to append or chain arbitrary commands to the intended operation.
Because the entry point is reachable over the network and requires no authentication, the attack surface includes any internet-exposed or internally reachable Kelixun 1.0 instance. The exploit has been disclosed publicly through a GitHub issue and indexed by VulDB entry #310083. The current EPSS data places this CVE in the upper percentile for likelihood of exploitation activity within 30 days.
Root Cause
The root cause is improper neutralization of special elements used in an OS command [CWE-77]. The fax_file parameter is concatenated into a shell command without input validation, allow-listing, or safe API usage such as parameterized process execution. Shell metacharacters including ;, |, &, and backticks are not stripped or escaped before invocation.
Attack Vector
An unauthenticated remote attacker sends a crafted HTTP request to /app/fax/fax_view.php with a malicious value in the fax_file parameter. The injected payload is interpreted by the underlying shell, granting command execution in the context of the web service account. From there, attackers can read sensitive files, pivot internally, deploy webshells, or establish persistence.
No verified proof-of-concept code is reproduced here. Technical details are available in the public references linked above.
Detection Methods for CVE-2025-5106
Indicators of Compromise
- HTTP requests to /app/fax/fax_view.php containing shell metacharacters (;, |, &, `, $()) in the fax_file parameter
- Unexpected child processes spawned by the web server account, such as sh, bash, wget, curl, nc, or python
- Outbound connections from the Kelixun host to unfamiliar IP addresses immediately following requests to fax_view.php
- New or modified files in web-accessible directories that may indicate webshell deployment
Detection Strategies
- Inspect web server access logs for requests targeting /app/fax/fax_view.php with anomalous query string content in fax_file
- Correlate web request events with process execution telemetry to identify command injection chains originating from the web server process
- Deploy web application firewall (WAF) signatures that flag shell metacharacter patterns in HTTP parameters bound to file-handling endpoints
Monitoring Recommendations
- Continuously monitor outbound network connections from the Kelixun host for connections to non-business destinations
- Alert on creation or modification of executable scripts within web roots and temporary directories
- Track authentication anomalies and lateral movement attempts originating from the appliance subnet
How to Mitigate CVE-2025-5106
Immediate Actions Required
- Restrict network access to the Kelixun 1.0 management and fax interfaces using firewall rules, allowing only trusted administrative networks
- Remove the application from direct internet exposure until a vendor fix is available
- Review web server and system logs for prior exploitation attempts against /app/fax/fax_view.php
- Rotate credentials and inspect the host for webshells, scheduled tasks, and unauthorized accounts if exploitation is suspected
Patch Information
No vendor patch is currently available. According to the disclosure record, the vendor was contacted early about this issue but did not respond. Organizations running Fujian Kelixun 1.0 should treat this product as unpatched and apply compensating controls. Track the VulDB advisory #310083 and the GitHub issue discussion for updates.
Workarounds
- Place the appliance behind a reverse proxy or WAF that strips or rejects shell metacharacters in the fax_file parameter
- Block direct access to /app/fax/fax_view.php at the network edge if the fax viewing functionality is not required
- Segment the Kelixun host into a restricted VLAN with egress filtering to prevent command-and-control callbacks
- Plan migration to a supported product where the vendor maintains an active security response process
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
