CVE-2025-64057 Overview
CVE-2025-64057 is a directory traversal vulnerability [CWE-22] affecting Fanvil X210 V2 IP phones running firmware version 2.12.20. The flaw allows unauthenticated attackers on the local network to write files to arbitrary locations on the device. Successful exploitation can lead to system configuration modification, persistence, and other unspecified impacts on the affected hardware.
The vulnerability is exploitable from an adjacent network without authentication or user interaction. It affects the confidentiality, integrity, and availability of the device, with particularly high impact on integrity and availability.
Critical Impact
Unauthenticated attackers on the same network segment can write arbitrary files to the Fanvil X210 file system, enabling configuration tampering and potential device takeover.
Affected Products
- Fanvil X210 IP phone (hardware version 2.0)
- Fanvil X210 firmware version 2.12.20
- Deployments exposing the device management interface to untrusted local network segments
Discovery Timeline
- 2025-12-05 - CVE-2025-64057 published to the National Vulnerability Database (NVD)
- 2026-01-09 - Last updated in NVD database
Technical Details for CVE-2025-64057
Vulnerability Analysis
The Fanvil X210 V2 firmware fails to sanitize file path components supplied to a file upload or storage routine exposed on the local network. An attacker can supply traversal sequences such as ../ within file name or path parameters to escape the intended storage directory. The device then writes attacker-controlled content to arbitrary locations on the underlying file system.
Because the affected endpoint accepts requests without authentication, any host able to reach the device on the LAN can trigger the issue. The attack vector is restricted to the adjacent network rather than the broader internet, but enterprise VoIP deployments often place these phones on shared user VLANs, expanding the realistic attack surface. The EPSS score is 0.795% with a percentile of 51.5, reflecting moderate but non-trivial likelihood of exploitation activity.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory, classified as [CWE-22]. The firmware does not validate, canonicalize, or reject user-supplied path segments before passing them to file write operations. Combined with the absence of authentication on the affected interface, this turns a path handling weakness into a remote unauthenticated file write primitive.
Attack Vector
An attacker on the same Layer 2 or routed local network sends a crafted request containing directory traversal sequences in the target file path. The firmware resolves the path relative to a privileged location and writes attacker-supplied bytes. By targeting configuration files, startup scripts, or web interface assets, the attacker can alter device behavior, redirect SIP traffic, plant persistent backdoors, or render the phone inoperable.
No verified public proof-of-concept is available at this time. See the GitHub CVE-2025-64057 Advisory for technical details.
Detection Methods for CVE-2025-64057
Indicators of Compromise
- HTTP or proprietary management requests to the Fanvil X210 containing ../ or encoded traversal sequences such as ..%2f in file path parameters
- Unexpected modifications to device configuration files, firmware assets, or startup scripts on Fanvil X210 endpoints
- New or altered SIP registration targets, dial plans, or provisioning URLs on affected phones
- Outbound connections from VoIP phones to hosts that are not part of the approved provisioning or SIP infrastructure
Detection Strategies
- Inspect network traffic to and from Fanvil X210 devices for traversal patterns in URI paths and POST bodies
- Baseline configuration hashes of deployed phones and alert on drift between scheduled provisioning cycles
- Monitor for unauthenticated write operations against the device management interface using IDS or NDR signatures
- Correlate VoIP device activity with identity and asset inventory to flag rogue or unmanaged hosts initiating management traffic
Monitoring Recommendations
- Forward syslog and management plane logs from Fanvil devices to a centralized SIEM for retention and correlation
- Alert on bulk or repeated file upload attempts to phone endpoints from non-administrative source addresses
- Track firmware versions across the fleet and flag any X210 still on version 2.12.20
- Review VLAN segmentation and detect any host on a user VLAN scanning for or interacting with VoIP management ports
How to Mitigate CVE-2025-64057
Immediate Actions Required
- Inventory all Fanvil X210 V2 phones and identify devices running firmware 2.12.20
- Restrict access to the phone management interface using ACLs or dedicated voice VLANs
- Block untrusted hosts from reaching VoIP devices on management ports at the switch and firewall layer
- Audit recent configuration changes on affected phones for signs of tampering
Patch Information
No vendor advisory URL is listed in the NVD record at the time of writing. Administrators should consult the Fanvil Official Website for firmware updates superseding version 2.12.20 and apply patched firmware to all affected X210 devices once available. Until a fix is released, treat the devices as exposed and apply compensating network controls.
Workarounds
- Place all VoIP phones on a dedicated, isolated voice VLAN that is not reachable from user or guest networks
- Enforce 802.1X port authentication so only known endpoints can communicate with phone management services
- Disable any unused remote management or auto-provisioning features on the phone where supported by firmware settings
- Restrict provisioning server communication to known IP addresses using firewall rules
# Example: restrict access to Fanvil X210 management interface on an IOS-style switch
ip access-list extended VOICE_MGMT_PROTECT
permit ip host 10.10.20.10 10.20.0.0 0.0.255.255 # provisioning server to phones
deny ip any 10.20.0.0 0.0.255.255 # block all other management traffic
permit ip any any
!
interface range GigabitEthernet1/0/1 - 48
ip access-group VOICE_MGMT_PROTECT in
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
