The 2wcom IP-4c 2.15.5 device's web interface includes an information disclosure vulnerability. By sending a crafted POST request to a specific endpoint (/cwi/ajax_request/get_data.php), an authenticated attacker (even with a low-privileged account like guest) can retrieve the hashed passwords for the admin, manager, and guest accounts. This significantly weakens the system's security posture, as these hashes could be cracked offline, granting attackers administrative access to the device.
Advisories
Source ID Title
EUVD EUVD EUVD-2025-30805 The 2wcom IP-4c 2.15.5 device's web interface includes an information disclosure vulnerability. By sending a crafted POST request to a specific endpoint (/cwi/ajax_request/get_data.php), an authenticated attacker (even with a low-privileged account like guest) can retrieve the hashed passwords for the admin, manager, and guest accounts. This significantly weakens the system's security posture, as these hashes could be cracked offline, granting attackers administrative access to the device.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 14 Oct 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared 2wcom ip-4c Firmware
CPEs cpe:2.3:h:2wcom:ip-4c:-:*:*:*:*:*:*:*
cpe:2.3:o:2wcom:ip-4c_firmware:2.15.5:*:*:*:*:*:*:*
Vendors & Products 2wcom ip-4c Firmware

Tue, 23 Sep 2025 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared 2wcom
2wcom ip-4c
Vendors & Products 2wcom
2wcom ip-4c

Mon, 22 Sep 2025 16:00:00 +0000

Type Values Removed Values Added
Description The 2wcom IP-4c 2.15.5 device's web interface includes an information disclosure vulnerability. By sending a crafted POST request to a specific endpoint (/cwi/ajax_request/get_data.php), an authenticated attacker (even with a low-privileged account like guest) can retrieve the hashed passwords for the admin, manager, and guest accounts. This significantly weakens the system's security posture, as these hashes could be cracked offline, granting attackers administrative access to the device.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2025-09-23T18:13:40.814Z

Reserved: 2025-08-17T00:00:00.000Z

Link: CVE-2025-57433

cve-icon Vulnrichment

Updated: 2025-09-23T16:04:42.388Z

cve-icon NVD

Status : Analyzed

Published: 2025-09-22T16:15:44.890

Modified: 2025-10-14T19:56:41.777

Link: CVE-2025-57433

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-09-23T16:09:56Z