What are the critical vulnerabilities discovered in MICI NetFax Server?

Rapid7 discovered three critical security vulnerabilities in MICI Network Co., Ltd's NetFax Server: CVE-2025-48045 (CVSS 8.7) for disclosed default credentials, CVE-2025-48046 (CVSS 5.3) for disclosure of stored passwords, and CVE-2025-48047 (CVSS 9.4) for command injection. These vulnerabilities allow attackers to gain complete administrative control of affected systems.

How do the MICI NetFax vulnerabilities work together in an attack chain?

The attack begins with CVE-2025-48045, which exposes default administrative credentials through HTTP GET requests to the `/client.php` endpoint. Attackers then use CVE-2025-48046 to access additional sensitive information including cleartext SMTP passwords via GET requests to `/config.php`. Finally, CVE-2025-48047 enables remote code execution through command injection in the server test function at `/test.php`.

What is CVE-2025-48047 and why is it the most dangerous vulnerability?

CVE-2025-48047 (CVSS 9.4) is a command injection flaw that enables remote code execution with root privileges. A server test function at the /test.php endpoint executes commands such as 'ping' and ingests data from configuration parameters like 'ETHNAMESERVER'. Attackers can manipulate these parameters to include system commands that are processed without proper sanitization.

Which versions of MICI NetFax Server are affected?

All NetFax Server versions prior to 3.0.1.0 are exposed to potential compromise through these three critical vulnerabilities. Organizations using these older versions remain vulnerable since MICI has refused to provide security patches.

How many MICI NetFax systems are exposed on the internet?

During their analysis of internet-connected devices, Rapid7 identified 34 systems exposed to the internet. However, Rapid7 notes that the number of devices on internal networks would likely be much higher, increasing the overall risk exposure.

What should organizations do if they use MICI NetFax Server?

Organizations using MICI NetFax Server should immediately isolate the server and plan to disconnect the systems from network access or completely decommission them. Given that the vendor has refused to provide patches and Metasploit modules are being released, continued use poses significant security risks.

Why is the MICI vendor's response particularly concerning?

MICI's explicit refusal to address these critical security vulnerabilities is unprecedented and extremely concerning. This leaves all users of affected NetFax Server versions permanently vulnerable to exploitation, as no official patches will be provided despite the critical nature of the flaws that enable complete system compromise.

Advisory

Critical unpatched flaws in MICI NetFax Server enable root access

Q: What is MICI NetFax Server and what does it do?

MICI's NetFax Server is a product from Taiwan-based vendor MICI Network Co., Ltd that provides reception of fax messages to user mailboxes through email. The server allows organizations to handle fax communications through their email infrastructure.

Q: Has MICI responded to these NetFax Server vulnerabilities?

MICI has explicitly refused to address these vulnerabilities, taking the unprecedented step of stating they will not fix these security issues. Despite multiple attempts to engage MICI through various channels, including assistance from Taiwan's TWCERT, the vendor has advised users to ensure devices are not exposed to external networks and stated they will no longer respond to inquiries regarding this product.

Q: Is Rapid7 releasing exploitation tools for these NetFax vulnerabilities?

Yes, Rapid7 has developed working Metasploit modules for both unauthenticated and authenticated exploitation of these vulnerabilities, which will be released in upcoming updates. The presence of automated tools means that attackers with minimal technical expertise could potentially exploit vulnerable systems at scale.

published: May 31, 2025

Take action: If you're running MICI NetFax Server, immediately disconnect it from your network or place it in an isolated network segment with no internet access, as the vendor has refused to patch three vulnerabilities that allow complete system takeover. Since no security fixes are coming and exploit tools are being developed, plan to replace or decommission the server ASAP.

Learn More

Rapid7 is reporting three critical security vulnerabilities in MICI Network Co., Ltd's NetFax Server that allow attackers to gain complete administrative control of affected systems. MICI's NetFax Server provides receiption of fax messages to user mailboxes through email.

The Taiwan-based vendor has explicitly refused to address these vulnerabilities, leaving organizations using NetFax Server versions prior to 3.0.1.0 exposed to potential compromise. The flaws create an authenticated attack chain to achieve remote code execution with root privileges.

Vulnerabilities summary:

CVE-2025-48045 (CVSS score 8.7) - Disclosed Default Credentials
CVE-2025-48046 (CVSS score 5.3) - Disclosure of Stored Passwords
CVE-2025-48047 (CVSS score 9.4) - Command Injection

Attack chain

The attack begins with CVE-2025-48045, which exposes default administrative credentials through HTTP GET requests to the /client.php endpoint. After accessing the web application on port 80 and intermittently afterwards, a GET request is made to '/client.php' which disclosed default administrative user credentials to clients by providing information contained within an automatically configured setup file.
Once attackers obtain the credentials, they can exploit CVE-2025-48046 to access additional sensitive information. While the NetFax Server's user interface properly redacts SMTP passwords from view, the underlying configuration file accessible via GET requests to /config.php contains these passwords in cleartext format.
Finally, the most dangerous vulnerability is CVE-2025-48047, is a command injection flaw that enables remote code execution. A server test function which executed commands such as 'ping' was located at the /test.php endpoint. This function appeared to ingest data sent to the configuration file such as 'ETHNAMESERVER'. Attackers can manipulate configuration parameters to include system commands, and when the server's test functions execute, these commands are processed without proper sanitization.

Despite multiple attempts to engage MICI through various channels, including assistance from Taiwan's TWCERT (Taiwan Computer Emergency Response Team), the vendor has taken the unprecedented step of explicitly stating they will not address these security issues. The vendor has instead advised users to ensure their devices are not exposed to external networks and has stated they will no longer respond to inquiries regarding this product.

During their analysis of internet-connected devices, Rapid7 noted 34 systems exposed to the internet. Rapid7 notes that the number of devices on internal networks would likely be much higher.

Rapid7 has developed working Metasploit modules for both unauthenticated and authenticated exploitation of these vulnerabilities, which will be released in upcoming updates. The presence of automated tools means that attackers with minimal technical expertise could potentially exploit vulnerable systems at scale.

Organizations using MICI NetFax Server should isolate the server and plan to disconnect the systems from network access or completely decommission them.

Critical unpatched flaws in MICI NetFax Server enable root access