CVE-2022-4982 in GoIP-1
Summary
by MITRE • 11/13/2025
DBLTek GoIP-1 firmware versions up to and including GHSFVT-1.1-67-5 contain a local file inclusion vulnerability. The device's web server exposes handlers (`frame.html` and `frame.A100.html`) that accept a path parameter (`content` or `sidebar`) which is not properly validated or canonicalized. An attacker can supply directory-traversal sequences to cause the server to read and return arbitrary filesystem files that the webserver user can access. Other GoIP models and firmware versions are likely affected. Exploitation evidence was observed by the Shadowserver Foundation on 2024-03-21 UTC.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/13/2025
The vulnerability identified as CVE-2022-4982 affects DBLTek GoIP-1 devices running firmware versions up to and including GHSFVT-1.1-67-5, representing a critical local file inclusion flaw that exposes sensitive system information through improper input validation. This vulnerability resides within the device's web server implementation where specific handlers named `frame.html` and `frame.A100.html` process path parameters labeled `content` and `sidebar` respectively. The absence of proper validation and canonicalization mechanisms allows attackers to manipulate these parameters with directory traversal sequences such as ../ or ..\ to access files outside the intended directory structure. The flaw aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal vulnerabilities. These vulnerabilities fall under the ATT&CK technique T1213.002 for Data from Information Repositories, as they enable unauthorized access to system files that may contain sensitive configuration data, credentials, or operational information. The vulnerability affects not only the specific GoIP-1 model but also other GoIP devices and firmware versions, indicating a widespread exposure across the product line. The web server user context determines the scope of accessible files, meaning attackers can read files that the web server process has permission to access, potentially including configuration files, log data, or other sensitive information stored on the device. The Shadowserver Foundation's observation of exploitation evidence on 2024-03-21 UTC confirms that this vulnerability is actively being targeted in the wild, making it a pressing concern for network administrators managing these devices. The attack vector requires no authentication, as the vulnerability exists within the web interface that typically operates without requiring user credentials for basic access. This makes the vulnerability particularly dangerous as it can be exploited by anyone with network access to the device, potentially leading to full system compromise if sensitive information is exposed. The impact extends beyond simple information disclosure, as the exposed files might contain system configurations, user credentials, or other operational data that could facilitate further attacks. Organizations should immediately assess their network for devices running affected firmware versions and implement mitigation strategies. The vulnerability represents a classic example of input validation failure where the web server fails to properly sanitize user-supplied path parameters before using them to access filesystem resources, creating an attack surface that allows for arbitrary file reading. This weakness in the firmware design demonstrates a critical gap in the security architecture of the device, particularly in how it handles user input within its web interface components. The exposure of these vulnerabilities through public web interfaces makes them particularly attractive to automated scanning tools and malicious actors seeking to exploit unpatched devices. Network segmentation and access controls should be implemented immediately to prevent unauthorized access to these devices, while firmware updates should be deployed as soon as available to remediate the vulnerability. The presence of this vulnerability in multiple GoIP models indicates that similar flaws may exist in other components of the device's software stack, warranting a comprehensive security assessment of the entire firmware ecosystem. This vulnerability exemplifies the importance of proper input validation and the principle of least privilege in embedded system security design, where web server processes should not have access to sensitive system files beyond their intended scope. The lack of proper canonicalization in path handling allows attackers to bypass directory restrictions through carefully crafted traversal sequences that exploit the web server's failure to normalize file paths before access. The security implications of this vulnerability extend to potential privilege escalation scenarios, where access to system files might reveal information that could be leveraged for more sophisticated attacks against the device or network. Organizations should monitor for exploitation attempts and implement network-based detection measures to identify traffic patterns associated with this specific vulnerability. The vulnerability's persistence across multiple firmware versions suggests that the root cause has not been properly addressed in the software development lifecycle, indicating a need for improved security testing and code review processes in the development of embedded firmware solutions.