Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-27893 PoC — Archer Platform 安全漏洞

Source
https://github.com/NastyCrow/CVE-2025-27893
Associated Vulnerability
Title:Archer Platform 安全漏洞 (CVE-2025-27893)
Description:Archer Platform是Archer公司的一个现代综合风险管理解决方案。 Archer Platform 6至6.14.00202.10024版本存在安全漏洞,该漏洞源于具有记录创建权限的认证用户可以通过拦截和修改Copy请求来操纵不可变字段,可能导致数据完整性受损。
Readme
# CVE-2025-27893: Improper Access Control in Archer Platform

## Description
A **Improper Access Control (CWE-284)** vulnerability exists in Archer Platform versions 6 through 6.14.00202.10024. An authenticated user with record creation privileges can manipulate immutable fields, such as the **creation date**, by intercepting and modifying a **Copy** request via a `GenericContent/Record.aspx?id=` URI. 

This enables unauthorized modification of system-generated metadata, compromising data integrity and potentially impacting auditing, compliance, and security controls.

## Affected Products
- **Vendor**: ArcherIRM
- **Product**: Archer
- **Affected Versions**: 6.14.00202.10024

## Vulnerability Type
- **CWE-284: Improper Access Control**
- **CWE-639: Authorization Bypass Through User-Controlled Key**

## Impact
- **Data Integrity Compromise**: Allows unauthorized users to manipulate system-generated metadata.
- **Audit and Compliance Risk**: Can impact compliance monitoring and record integrity.

## Affected Component
The vulnerability affects the **integrity of records** within the Archer system.

## Attack Vectors
### Prerequisites
- The attacker must have an authenticated user account with **record creation privileges**.
- This is a **standard privilege** in the system.

### Exploitation Steps
1. **Target Selection**: Identify an existing record to manipulate.
2. **Initiate the Copy Function**: The attacker selects the record and clicks the three-dot menu to copy it, generating the following request:
   ```http
   POST /RSAarcher/GenericContent/Record.aspx?id=RECORD_ID&moduleId=NUM&levelSelection=NUM&RecordSet=True&Mode=Edit&pr=VALUE&rr=VALUE
   ```
3. **Intercept and Modify the Request**: Using an interception tool (e.g., Burp Suite), the attacker captures the request and alters immutable fields such as the **creation date**.
4. **Submit the Modified Request**: Instead of proceeding with the copy operation, the attacker **cancels the operation** after submission, effectively bypassing the system's enforcement of immutable fields.

## Discoverer
- **Name**: Hattan Hassan D Althobaiti

## References
- [ArcherIRM Official Website](https://archerirm.com)
- [CWE-284: Improper Access Control](https://cwe.mitre.org/data/definitions/284.html)
- [CWE-639: Authorization Bypass Through User-Controlled Key](https://cwe.mitre.org/data/definitions/639.html)

## Mitigation
- **Vendor Action**: The vendor should enforce strict **server-side validation** to prevent modification of immutable fields.
- **Security Controls**: Implement **logging and monitoring** to detect unauthorized record modifications.

---
**Disclaimer**: This disclosure is for informational purposes only. The discoverer and publisher are not responsible for any misuse of the disclosed vulnerability.
File Snapshot

 [4.0K]  /data/pocs/08aa383114e6af8a5a098d8071faa8194460df0f
└── [2.7K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.