CVE-2025-57433

Name of the Vulnerable Software and Affected Versions 2wcom IP-4c version 2.15.5

Description The web interface of the device contains a flaw that allows information disclosure. An authenticated attacker, even with limited privileges such as a guest account, can obtain hashed passwords for admin, manager, and guest accounts by submitting a specially crafted POST request to the /cwi/ajax request/get data.php API endpoint. This compromises the security of the system, as the retrieved hashes could be cracked to gain administrative access. The vulnerable parameter is not specified.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.