Critical NetFax Vulnerabilities: Full System Takeover Risk Ignored by Vendor

Cybersecurity experts have raised serious alarms after uncovering a chain of critical vulnerabilities in MICI Network Co., Ltd’s NetFax server software, putting organizations at high risk of complete system compromise. Despite months of coordinated disclosure efforts, the vendor has refused to fix the flaws, leaving customers dangerously exposed.

The vulnerabilities—tracked as CVE-2025-48045, CVE-2025-48046, and CVE-2025-48047—can be exploited together to allow remote attackers to gain full control of affected systems with root-level privileges. Even worse, the issues stem from default credentials, cleartext password exposure, and an exploitable command injection flaw, forming a devastating attack chain.

MICI NetFax: A Vulnerability Chain Leading to Root-Level Exploitation

Researchers at Rapid7 have discovered multiple zero-day vulnerabilities in versions of MICI Network’s NetFax server prior to 3.0.1.0, allowing full remote code execution. The first in the chain, CVE-2025-48045, exposes default administrative credentials via HTTP requests to /client.php. These credentials are automatically transmitted when accessing the server, likely linked to the ‘OneIn’ client application, and offer attackers a gateway for further exploitation.

Once initial access is gained, attackers can leverage CVE-2025-48046 to retrieve cleartext SMTP passwords from configuration requests to /config.php. While the user interface masks these credentials, the backend fails to secure them, making it easy for attackers to escalate access.

The most dangerous flaw, CVE-2025-48047, involves command injection using unfiltered backtick characters within configuration parameters. Using the /test.php endpoint, attackers can abuse system functions like ping with malicious payloads that ultimately lead to full remote code execution via Unix tools like mkfifo and nc.

Security researcher Anna Quinn from Rapid7 disclosed the vulnerabilities in January 2025 and made multiple attempts to alert the vendor, including through Taiwan’s national Computer Emergency Response Team (TWCERT). After months of silence, MICI responded in May 2025 via TWCERT stating they would not patch the vulnerabilities and instead advised users to avoid exposing NetFax servers to the internet.

Despite this alarming stance, Rapid7 identified 34 internet-exposed NetFax systems and warned that more may exist within private enterprise networks. A similar server type called CoFax was also found in Iran, but these were not vulnerable to the same issues.

In the absence of a vendor fix, Rapid7 urges customers to immediately change default credentials, restrict network access, and evaluate the risks of continuing to use the product. The firm has created Metasploit modules to simulate both authenticated and unauthenticated attacks and included vulnerability detection for InsightVM and Nexpose users in its May 28, 2025 update.

What Undercode Say:

This scenario offers a textbook case of how vendors can jeopardize digital infrastructure when they neglect basic security responsibility. MICI Network Co., Ltd’s handling of these severe vulnerabilities is not just negligent, it’s reckless. The discovery of default admin credentials exposed over HTTP is a glaring sign that NetFax was not designed with modern security standards in mind.

The nature of the vulnerabilities suggests systemic flaws in how user data and system commands are handled. Hardcoding credentials and leaving them exposed in cleartext demonstrates a disregard for security hygiene. Furthermore, leaving SMTP passwords unprotected in the configuration files and failing to properly sanitize inputs in test parameters opens the door to a full-scale compromise.

Command injection through /test.php reflects an even deeper issue. The presence of classic Unix utilities like mkfifo and nc allows attackers to build a full backdoor shell, turning the server into a launchpad for further intrusions across the network.

Vendor inaction only deepens the crisis. MICI’s refusal to issue patches or even provide support signals an abandonment of responsibility, effectively transferring all risk onto its users. Advising customers to avoid exposing the server to the internet is hardly an adequate security measure—most fax servers inevitably require network access to function effectively.

Rapid7’s decision to release Metasploit modules for both authenticated and unauthenticated exploitation raises concerns about weaponization. While these tools aid defenders, they also become available to malicious actors if organizations don’t act quickly.

Organizations relying on NetFax must now weigh the cost of switching platforms against the very real threat of being compromised. Many may not even be aware of the exposure until it’s too late. The existence of similarly architected CoFax systems in other countries indicates a potential for broader vulnerability in related MICI products.

Cyber hygiene starts with vendors, and when they fail, the ripple effects can be enormous. Enterprises must build layered defenses, implement zero-trust policies, and apply segmentation around legacy or unsupported tools like NetFax. The cost of ignoring these threats may be far higher than replacing the software entirely.

Fact Checker Results ✅

🔎 MICI Network confirmed via TWCERT that they will not patch the vulnerabilities
📉 Rapid7 verified 34 publicly exposed NetFax servers across the internet
🛠️ CVEs and technical details have been publicly documented and are reproducible

Prediction:

If unaddressed, the NetFax vulnerabilities will become a target for automated botnets and ransomware groups by Q3 2025. MICI’s inaction is likely to lead to enterprise breaches, especially in healthcare and public sectors that still rely on fax communications. Security-conscious organizations will start decommissioning NetFax or placing it behind strict firewall rules, while exploit kits will emerge based on the released Metasploit modules.