AC Smart II contains an authentication bypass caused by a hidden password reset form that can be manipulated to change the administrator password without verifying login or permissions, letting attackers change admin passwords without authorization.
PoC代码[已公开]
id: CVE-2025-10204
info:
name: AC Smart II - Authentication Bypass
author: theeldruin
severity: high
description: |
AC Smart II contains an authentication bypass caused by a hidden password reset form that can be manipulated to change the administrator password without verifying login or permissions, letting attackers change admin passwords without authorization.
impact: |
Attackers can change the administrator password without authorization, leading to full system takeover.
remediation: |
Update to the latest version that properly verifies login status and user permissions before password reset.
reference:
- https://www.notion.so/eldruin/Unauthenticated-Administrator-Password-Reset-AC-Smart-II-v2-1-9-Rev-2251-24d27474cccb80a68e47f907b94abed9
- https://nvd.nist.gov/vuln/detail/CVE-2025-10204
classification:
cwe-id: CWE-306
metadata:
verified: true
max-request: 1
shodan-query: html:"Doc/WebLogin.asp"
fofa-query: body="Doc/WebLogin.asp"
tags: cve,cve2025,unauth,auth-bypass
http:
- raw:
- |
GET /Doc/WebLogin.asp HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains_all(body, "div id=\"div_admin_pwd\" style=\"position:absolute;top:180px;left:50%;width:411px;height:228px;margin:0 0 0 -235px ;z-index:1; visibility: hidden;","AC Smart")'
- 'status_code == 200'
condition: and
# digest: 4a0a0047304502210089aba51382c1375f1c001ed3930aa77711cb9d11f00cb28d7ea7b10fadf23436022004bb97d3efadd989e92bee69f1992de65f0fceb62c9a6b24608776a5c89c1905:922c64590222798bb761d5b6d8e72950