Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-29556 PoC — ExaGrid EX10 安全漏洞

Source
https://github.com/0xsu3ks/CVE-2025-29556
Associated Vulnerability
Title:ExaGrid EX10 安全漏洞 (CVE-2025-29556)
Description:ExaGrid EX10是美国ExaGrid公司的一款备份存储服务器。 ExaGrid EX10 6.3至7.0.1.P08版本存在安全漏洞,该漏洞源于API请求处理不当,可能导致绕过权限限制。
Readme

# CVE-2025-29556 – ExaGrid Security Officer Account Creation Bypass

## 📝 Overview

**Vulnerability Title**: Unauthorized Creation of Security Officer Account  
**Product**: ExaGrid EX10 Backup Appliance
**Version Affected**: Tested on current version at disclosure  
**Versions Affected**: 6.3 – 7.0.1.P08
**CVE ID**: CVE-2025-29556  
**Severity**: High  
**Attack Vector**: Authenticated, Low-Privileged Access  
**Impact**: Privilege Escalation to Security Officer Role

---

## 🧨 Description

This proof-of-concept (PoC) demonstrates a critical flaw in ExaGrid's API that allows a low-privileged or hijacked session to create **Security Officer** accounts without proper validation or authorization. The attacker must possess a valid `JSESSIONIDSSO` cookie and the `site UUID`.

The vulnerability enables **privilege escalation** and full administrative control over backup operations, user creation, encryption settings, and more.

---

## 🚀 Usage

### ⚙️ Prerequisites

- Python 3.x
- `requests` library (`pip install requests`)
- Valid:
  - `JSESSIONIDSSO` cookie
  - `site UUID`

### 📌 Command

```bash
python3 create_security_officer.py --url 10.0.0.5 --cookie YOUR_JSESSIONIDSSO --uuid YOUR_SITE_UUID
```

Add `--debug` to view the raw response:
```bash
python3 create_security_officer.py --url 10.0.0.5 --cookie abc123def456 --uuid a1b2c3d4 --debug
```

---

## 🧾 What It Does

- Sends a `POST` request to the `/api/v1/sites/{uuid}/users` endpoint
- Bypasses intended controls and creates a new user:
  - **Username**: `Security_Officer_BYPASSED`
  - **Group**: `exagrid-sec-offs`
  - **Password**: base64-encoded (example: `XTNhXmJeKHo/P0hdTSY=`)

---

## 🔐 Impact

- Bypasses access controls around Security Officer account creation
- Grants highest-level access within the backup appliance
- Can result in backup manipulation, policy tampering, and sensitive data access

---

## 🛡️ Mitigation

- Patch when a fix becomes available from ExaGrid
- Monitor for unexpected users in the `exagrid-sec-offs` group
- Invalidate suspicious or stale sessions
- Limit access to internal management interfaces

---

## 👨‍💻 Author

Security Researcher – Kevin Suckiel -- 0xsu3ks
PoC for CVE-2025-29556 disclosed through responsible channels.

---

## ⚠️ Legal Notice

This tool is intended **for authorized testing and research purposes only**. The author takes **no responsibility for misuse or damage** caused by this code.
File Snapshot

 [4.0K]  /data/pocs/b397ffe8e1df28cac4acc8249a94402b2c5f6708
├── [2.2K]  cve-2025-29556.py
└── [2.4K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.