CVE-2025-29557 PoC — ExaGrid EX10 安全漏洞

Source

https://github.com/0xsu3ks/CVE-2025-29557

Associated Vulnerability

Title:ExaGrid EX10 安全漏洞 (CVE-2025-29557)
Description:ExaGrid EX10是美国ExaGrid公司的一款备份存储服务器。 ExaGrid EX10 6.3至7.0.1.P08版本存在安全漏洞，该漏洞源于MailConfiguration API端点访问控制不当，可能导致获取SMTP凭据。

Readme


# CVE-2025-29557 – ExaGrid MailConfiguration API Credential Disclosure

## 📝 Overview

**Vulnerability Title**: SMTP Credential Disclosure via MailConfiguration API  
**Product**: ExaGrid EX10 Backup Appliance  
**Versions Affected**: 6.3 – 7.0.1.P08  
**CVE ID**: CVE-2025-29557  
**Severity**: High  
**Attack Vector**: Remote (Authenticated)  
**Impact**: Information Disclosure – Plaintext SMTP Credentials

---

## 🧨 Description

A critical access control flaw exists in the **MailConfiguration API endpoint** of ExaGrid EX10 appliances. Authenticated users with **operator-level privileges** can send a crafted HTTP request to this endpoint and receive SMTP configuration details — including **plaintext SMTP passwords**.

This represents a clear violation of privilege boundaries, as operator roles are not intended to have access to sensitive credentials.

---

## 🔬 Attack Vectors

### 🔹 Direct API Request Manipulation

- A user with operator-level access sends a GET request to the MailConfiguration API.
- The API returns a full JSON payload containing SMTP usernames and passwords **in plaintext**.

### 🔹 API Scraping or Enumeration

- An attacker with programmatic access can **query multiple appliances or endpoints at scale**.
- Enables credential harvesting across environments, especially in large deployments.

---

## 📦 Affected Components

- **Product**: ExaGrid EX10  
- **Component**: MailConfiguration API  
- **Versions**: 6.3 through 7.0.1.P08

---

## 📉 Impact

- **Confidentiality breach**: Disclosure of plaintext credentials used for outbound email (alerting, support).
- **Pivoting**: Possible access to internal or cloud-based SMTP services.
- **Compliance violation**: Violation of basic credential protection practices (e.g., storing secrets in plaintext).

---

## 🛡️ Mitigation

- Upgrade to the latest patched version once available.
- Remove unnecessary SMTP configurations or use tokens where supported.
- Monitor API access logs for `MailConfiguration` queries from operator accounts.

---

## ✅ Vendor Status

- **Confirmed** and acknowledged by ExaGrid.

---

## 👨‍💻 Discoverer

Security Researcher – Kevin Suckiel -- 0xsu3ks
Discovered and responsibly disclosed CVE-2025-29557.

---

## ⚠️ Legal Notice

This content is provided for **educational and authorized testing purposes only**.  
The author assumes **no liability** for misuse or unauthorized access.

File Snapshot


 [4.0K]  /data/pocs/1a9506b7a0ab35ca939fee4d2e122c25aebc9739
└── [2.4K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!