logis11/CVE-2025-55423-analysis-and-reproduction

# CVE-2025-55423 — ipTIME UPnP Command Injection: Analysis & Reproduction This repository contains the analysis and reproduction process of CVE-2025-55423. Since learning was the top priority, it also includes the analysis process leading up to each step and the background knowledge needed for it. Fundamentally, this CVE concerns a command injection that occurred in ipTIME's upnp_relay function before it was patched. Reaching it requires a preparatory step that assumes a double NAT situation and uses ARP spoofing to make the attacker's server be recognized as the upstream router; since this preparation is a typical MITM technique rather than the essence of the CVE, it will only be covered briefly in the background section. To summarize the CVE: when the victim's ipTIME router sends an M-SEARCH SSDP request via multicast to use its UPnP feature, the attacker responds with the address of the attacker's HTTP server. In that process, the victim's ipTIME router trusts this HTTP server address and sends a request to it to retrieve the control URL. Later, when another device using the victim's ipTIME router sends a port-forwarding request, the ipTIME router, sitting inside the double NAT, passes the link in the control URL to system() without separate validation through the upnp_relay function in order to share this setting with the upstream router, and executes it; RCE occurs in this process. The background knowledge needed in this process, the vulnerable-function analysis process, the attacker-server construction process, and the RCE trigger using QEMU are all uploaded in this repository. ## Documentation - [Background](docs/01-background.md) : ARP spoofing, double-NAT, UPnP - [Vulnerable Function Analysis](docs/02-vuln-analysis.md) : The injection sink analysis - [Attacker Server Setup](docs/03-server-setup.md) : Fake SSDP server, fake HTTP server set up - [RCE Trigger](docs/04-rce-trigger.md) : Dependency analysis, QEMU user-mode harness ## Exploit The `exploits/` folder contains the attacker servers and harness referenced in the docs. ## Original CVE URL: . This repository is an independent analysis & reproduction for study purposes.