CVE-2025-13187

5.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability in Intelbras ICIP 2.0.20 allows remote attackers to access plaintext admin credentials stored in the /xml/sistema/acessodeusuario.xml file. Attackers can exploit this to gain unauthorized administrative access to affected systems. Organizations using Intelbras ICIP 2.0.20 are affected.

💻 Affected Systems

Products:
  • Intelbras ICIP
Versions: 2.0.20
Operating Systems: Unknown - likely various Linux distributions
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default configuration where the /xml/sistema/acessodeusuario.xml file stores credentials in plaintext.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative privileges, allowing data theft, system modification, and lateral movement within the network.

🟠

Likely Case

Unauthorized administrative access leading to configuration changes, data exfiltration, and potential ransomware deployment.

🟢

If Mitigated

Limited impact with proper network segmentation and credential rotation, though system remains vulnerable to credential theft.

🌐 Internet-Facing: HIGH - Remote exploitation allows attackers to access credentials without authentication from anywhere on the internet.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems can exploit this vulnerability to escalate privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit involves simple HTTP requests to access the vulnerable XML file containing plaintext credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

1. Check Intelbras website for security advisories
2. Apply any available patches for ICIP 2.0.20
3. Update to a newer version if available

🔧 Temporary Workarounds

Restrict access to vulnerable XML file

all

Configure web server to block access to /xml/sistema/acessodeusuario.xml

# For Apache: Add to .htaccess or virtual host config
<Files "acessodeusuario.xml">
    Require all denied
</Files>
# For Nginx: Add to server block
location ~* /xml/sistema/acessodeusuario\.xml$ {
    deny all;
}

Implement network access controls

linux

Restrict network access to ICIP management interface

# Example iptables rule to restrict access to specific IPs
iptables -A INPUT -p tcp --dport [ICIP_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [ICIP_PORT] -j DROP

🧯 If You Can't Patch

  • Isolate affected systems in a segmented network zone with strict access controls
  • Implement multi-factor authentication and regularly rotate administrative credentials

🔍 How to Verify

Check if Vulnerable:

Attempt to access http://[target_ip]/xml/sistema/acessodeusuario.xml and check if it returns plaintext credentials

Check Version:

Check ICIP web interface or configuration files for version information

Verify Fix Applied:

Verify the XML file is no longer accessible or contains encrypted/hashed credentials

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /xml/sistema/acessodeusuario.xml
  • Unusual authentication attempts from new IP addresses
  • Multiple failed login attempts followed by successful admin login

Network Indicators:

  • HTTP GET requests to vulnerable XML file path
  • Traffic to ICIP management interface from unexpected sources

SIEM Query:

source="web_logs" AND (uri="/xml/sistema/acessodeusuario.xml" OR (status=200 AND uri LIKE "%/acessodeusuario.xml%"))

📊 Metadata

CVE ID: CVE-2025-13187
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-255
Published: November 14, 2025
Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON