[{"data":1,"prerenderedAt":246},["Reactive",2],{"blog-post-/blogs/zlt_m30s_information_disclosure":3},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"image":11,"alt":9,"ogImage":11,"tags":12,"published":15,"body":16,"_type":238,"_id":239,"_source":240,"_file":241,"_extension":242,"sitemap":243},"/blogs/zlt_m30s_information_disclosure","blogs",false,"","ZLT M30s Information Disclosure","From Info Disclosure to Full Admin Access","9th Nov 2025","https://hacklab.eu.org/blogs-img/zlt-home-page.png",[13,14],"CVE","Hardware",true,{"type":17,"children":18,"toc":227},"root",[19,28,35,41,48,54,95,101,152,157,163,172,179,191,202,208,213],{"type":20,"tag":21,"props":22,"children":24},"element","h2",{"id":23},"zlt-m30s-critical-information-dislosure-vulnerability",[25],{"type":26,"value":27},"text","ZLT M30s Critical Information Dislosure Vulnerability",{"type":20,"tag":29,"props":30,"children":32},"h4",{"id":31},"category-cve",[33],{"type":26,"value":34},"Category: CVE",{"type":20,"tag":29,"props":36,"children":38},{"id":37},"researcher-ramon-bello-gr33pp-s33k3r",[39],{"type":26,"value":40},"Researcher: Ramon Bello (gr33pp / S33K3R)",{"type":20,"tag":42,"props":43,"children":45},"h3",{"id":44},"cve-2025-15082",[46],{"type":26,"value":47},"CVE-2025-15082",{"type":20,"tag":42,"props":49,"children":51},{"id":50},"tl-dr",[52],{"type":26,"value":53},"TL; DR",{"type":20,"tag":55,"props":56,"children":57},"p",{},[58,60,66,68,73,75,80,82,87,88,93],{"type":26,"value":59},"The ",{"type":20,"tag":61,"props":62,"children":63},"code",{"className":7},[64],{"type":26,"value":65},"/reqproc/proc_post",{"type":26,"value":67}," endpoint of the web management interface can be accessed without authentication and returns sensitive device information through ",{"type":20,"tag":61,"props":69,"children":70},{"className":7},[71],{"type":26,"value":72},"isTest",{"type":26,"value":74}," parameter set to ",{"type":20,"tag":61,"props":76,"children":77},{"className":7},[78],{"type":26,"value":79},"false",{"type":26,"value":81}," and ",{"type":20,"tag":61,"props":83,"children":84},{"className":7},[85],{"type":26,"value":86},"goformId",{"type":26,"value":74},{"type":20,"tag":61,"props":89,"children":90},{"className":7},[91],{"type":26,"value":92},"export_information",{"type":26,"value":94},". This includes configuration data that exposes administrative account credentials in plaintext. As a result, an attacker can retrieve information sufficient to gain full access to the device’s web management interface.",{"type":20,"tag":42,"props":96,"children":98},{"id":97},"proof-of-concept-poc-steps-to-reproduce",[99],{"type":26,"value":100},"Proof of Concept (PoC) - Steps to Reproduce",{"type":20,"tag":102,"props":103,"children":104},"ol",{},[105,111,116,135,140],{"type":20,"tag":106,"props":107,"children":108},"li",{},[109],{"type":26,"value":110},"Connect to the device through it's wifi or usb tethering",{"type":20,"tag":106,"props":112,"children":113},{},[114],{"type":26,"value":115},"Identify the device gateway IP, this is where the management interface is usually located.",{"type":20,"tag":106,"props":117,"children":118},{},[119,121,126,128,133],{"type":26,"value":120},"Send a POST request to ",{"type":20,"tag":61,"props":122,"children":123},{"className":7},[124],{"type":26,"value":125},"http://\u003CTARGET_IP>/reqproc/proc_post",{"type":26,"value":127}," with the body ",{"type":20,"tag":61,"props":129,"children":130},{"className":7},[131],{"type":26,"value":132},"isTest=false&goformId=export_information",{"type":26,"value":134},". No cookies or authentication headers are required.",{"type":20,"tag":106,"props":136,"children":137},{},[138],{"type":26,"value":139},"The server responds with a JSON object containing the device configuration path, ready to be downloaded.",{"type":20,"tag":106,"props":141,"children":142},{},[143,145,150],{"type":26,"value":144},"Visit ",{"type":20,"tag":61,"props":146,"children":147},{"className":7},[148],{"type":26,"value":149},"http://\u003CTARGET_IP>/export_information.zip",{"type":26,"value":151}," to download.",{"type":20,"tag":55,"props":153,"children":154},{},[155],{"type":26,"value":156},"With the zip downloaded and unzipped, it contains information relating to the internals of the router, leaking critical information like the web interface admin details.",{"type":20,"tag":42,"props":158,"children":160},{"id":159},"poc",[161],{"type":26,"value":162},"PoC",{"type":20,"tag":55,"props":164,"children":165},{},[166],{"type":20,"tag":167,"props":168,"children":171},"img",{"alt":169,"src":170},"photo","https://hacklab.eu.org/blogs-img/poc.png",[],{"type":20,"tag":55,"props":173,"children":174},{},[175],{"type":20,"tag":167,"props":176,"children":178},{"alt":169,"src":177},"https://hacklab.eu.org/blogs-img/zip_content.png",[],{"type":20,"tag":55,"props":180,"children":181},{},[182,184,189],{"type":26,"value":183},"The zip is password protected, I was able to unzip with password ",{"type":20,"tag":61,"props":185,"children":186},{"className":7},[187],{"type":26,"value":188},"tozed",{"type":26,"value":190},".",{"type":20,"tag":55,"props":192,"children":193},{},[194,195,200],{"type":26,"value":59},{"type":20,"tag":61,"props":196,"children":197},{"className":7},[198],{"type":26,"value":199},"tmp/export_nv_show",{"type":26,"value":201}," file particularly contains the admin credentials to the web interface.",{"type":20,"tag":21,"props":203,"children":205},{"id":204},"video-poc",[206],{"type":26,"value":207},"VIDEO POC",{"type":20,"tag":55,"props":209,"children":210},{},[211],{"type":26,"value":212},"Click the image to watch the video",{"type":20,"tag":55,"props":214,"children":215},{},[216],{"type":20,"tag":217,"props":218,"children":222},"a",{"href":219,"rel":220},"https://youtu.be/u_H29UdiPOc",[221],"nofollow",[223],{"type":20,"tag":167,"props":224,"children":226},{"alt":225,"src":11},"IMAGE ALT TEXT HERE",[],{"title":7,"searchDepth":228,"depth":228,"links":229},2,[230,237],{"id":23,"depth":228,"text":27,"children":231},[232,234,235,236],{"id":44,"depth":233,"text":47},3,{"id":50,"depth":233,"text":53},{"id":97,"depth":233,"text":100},{"id":159,"depth":233,"text":162},{"id":204,"depth":228,"text":207},"markdown","content:blogs:ZLT_M30s_Information_Disclosure.md","content","blogs/ZLT_M30s_Information_Disclosure.md","md",{"loc":4,"lastmod":244,"images":245},"2026-04-29T18:26:59.368Z",[],1777487261932]