CVE-2025-67115 Overview
A path traversal vulnerability exists in the /ftl/web/setup.cgi component of the Sercomm SCE4255W (FreedomFi Englewood) Small Cell firmware. This vulnerability allows remote authenticated users to read arbitrary files from the filesystem by exploiting improper input validation in the log_type parameter when accessing /logsave.htm. Firmware versions prior to DG3934v3@2308041842 are affected.
Critical Impact
Authenticated attackers can leverage this path traversal flaw to access sensitive configuration files, credentials, and other critical system data stored on the affected Small Cell device, potentially leading to full device compromise.
Affected Products
- Sercomm SCE4255W (FreedomFi Englewood) Small Cell devices
- Firmware versions prior to DG3934v3@2308041842
- FreedomFi network infrastructure deployments using vulnerable firmware
Discovery Timeline
- 2026-03-19 - CVE CVE-2025-67115 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2025-67115
Vulnerability Analysis
This path traversal vulnerability affects the web management interface of the Sercomm SCE4255W Small Cell device. The vulnerability resides in the /ftl/web/setup.cgi script, which processes user-supplied input through the log_type parameter without adequate sanitization.
When an authenticated user accesses the /logsave.htm endpoint, the application accepts arbitrary path sequences in the log_type parameter. By crafting malicious input containing directory traversal sequences (such as ../), an attacker can escape the intended directory and read arbitrary files from the device's filesystem. This type of vulnerability is particularly dangerous on embedded devices where sensitive configuration data, including network credentials and system secrets, may be accessible.
The vulnerability requires authentication, which limits the attack surface to users who have valid credentials or can obtain them through other means. However, in enterprise or shared network environments where multiple users have device access, this represents a significant risk.
Root Cause
The root cause of this vulnerability is improper input validation in the web interface's file handling logic. The setup.cgi script fails to properly sanitize the log_type parameter before using it in filesystem operations. Specifically, the application does not:
- Filter or reject directory traversal sequences (../, ..\\)
- Validate that the requested path remains within the intended log directory
- Implement proper canonicalization of file paths before access
This allows attackers to construct requests that traverse outside the designated log storage directory and access arbitrary files anywhere on the filesystem that the web server process has permissions to read.
Attack Vector
The attack vector for this vulnerability involves sending crafted HTTP requests to the vulnerable endpoint on the Small Cell device's web interface. An authenticated attacker can manipulate the log_type parameter in requests to /logsave.htm to include path traversal sequences.
For example, an attacker could craft a request where the log_type parameter contains sequences like ../../../etc/passwd to escape the log directory and access system files. The attack requires network access to the device's management interface and valid authentication credentials.
The exploitation process involves establishing an authenticated session with the device and then sending specially crafted requests with directory traversal payloads in the log_type parameter. The vulnerable endpoint returns the contents of the specified file, allowing the attacker to exfiltrate sensitive data.
For detailed technical information about this vulnerability, refer to the Nero Team Blog on FreedomFi and the FCC Report on Device ID.
Detection Methods for CVE-2025-67115
Indicators of Compromise
- Unusual HTTP requests to /logsave.htm containing ../ sequences in the log_type parameter
- Web server access logs showing repeated attempts to access the /ftl/web/setup.cgi endpoint with varying path traversal patterns
- Authentication events followed by suspicious file access patterns on the device
- Network traffic containing responses with contents of sensitive system files (e.g., /etc/passwd, configuration files)
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block path traversal sequences in HTTP parameters
- Monitor web server logs for requests containing encoded or unencoded directory traversal patterns (../, %2e%2e%2f, ..%252f)
- Implement intrusion detection signatures for path traversal attempts targeting the /logsave.htm endpoint
- Enable detailed logging on Small Cell management interfaces and forward logs to a centralized SIEM
Monitoring Recommendations
- Establish baseline access patterns for the Small Cell management interface and alert on anomalies
- Configure alerts for any access to sensitive system files that should not be served via the web interface
- Monitor for bulk file access attempts or sequential requests with incrementing path traversal depths
- Review authentication logs for the device management interface regularly for unauthorized access attempts
How to Mitigate CVE-2025-67115
Immediate Actions Required
- Update all Sercomm SCE4255W devices to firmware version DG3934v3@2308041842 or later immediately
- Restrict network access to the device's web management interface using firewall rules or network segmentation
- Review access logs for evidence of exploitation attempts and investigate any suspicious activity
- Audit user accounts with access to device management and remove unnecessary privileges
Patch Information
The vulnerability is addressed in firmware version DG3934v3@2308041842 and later releases. Organizations should obtain the updated firmware through their FreedomFi support channels or the official vendor distribution mechanism. Before applying the update, verify firmware integrity using checksums provided by the vendor.
For additional information, consult the FreedomFi Home Page for official security advisories and firmware update procedures.
Workarounds
- Implement network-level access controls to restrict management interface access to trusted administrator IP addresses only
- Deploy a reverse proxy or WAF in front of the device management interface to filter malicious requests
- If web management is not required, disable the HTTP/HTTPS management interface entirely and use alternative management methods
- Consider placing affected devices behind a VPN to limit exposure while awaiting patching
# Example network segmentation using iptables
# Restrict access to management interface (port 443) to trusted admin subnet
iptables -A INPUT -p tcp --dport 443 -s 10.0.100.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
# Log blocked attempts for monitoring
iptables -A INPUT -p tcp --dport 443 -j LOG --log-prefix "SCE4255W-BLOCKED: "
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
