Share
## https://sploitus.com/exploit?id=EB3E2D25-55E6-5876-B4F3-9D6D272454EB
# CVE-2025-56015 GenieACS RCE



![Author](https://img.shields.io/badge/Author-DF_Pentest_Team-red?style=for-the-badge&logoColor=white)
![Role](https://img.shields.io/badge/Role-Penetration%20Tester-blue?style=for-the-badge&logoColor=white)
![Country](https://img.shields.io/badge/Country-Thailand-black?style=for-the-badge&logoColor=white)
![Platform](https://img.shields.io/badge/Platform-Linux-blue?style=for-the-badge&logoColor=white)
![Vulnerability](https://img.shields.io/badge/Vuln-Sandbox%20Escape%20%2F%20RCE-critical?style=for-the-badge&logoColor=white)
![CVE](https://img.shields.io/badge/CVE-2025--56015-orange?style=for-the-badge&logoColor=white)
![Status](https://img.shields.io/badge/Exploit-PoC-success?style=for-the-badge&logoColor=white)



## Overview

Proof-of-Concept exploit for **CVE-2025-56015** a critical sandbox escape and code injection vulnerability in **GenieACS** allowing arbitrary JavaScript execution in the provisioning context. By leveraging the `declare.constructor.constructor` prototype chain, an attacker can escape the restricted JavaScript environment, access the underlying Node.js `child_process` and `net` modules, and achieve full **remote code execution (RCE)**.

**Exploit type:** Remote  
**Authentication:** Requires network access to GenieACS NBI (Port 7557) and ACS (Port 7547)  
**Impact:** Full server compromise, reverse shell execution, network pivoting



## Environment Information
- **Test Environment:** [GenieACS Docker Image](https://github.com/GeiserX/genieacs-docker)
- **Tested Version:** GenieACS v1.2.13
- **Untested Versions:** GenieACS v1.2.14 - v1.2.16+ (or Latest version, behavior might differ or be patched)

## Vulnerability Details

### Vulnerability 1: UnAuth Send API
The NBI endpoint on Port 7557 allows unauthenticated access to retrieve sensitive data. Example API endpoints include:

**Get Users Data:**
```bash
$ curl 'http://myhost:7557/users/'
```
_Response includes sensitive information such as password hashes and salts._

**Get Files List:**
```bash
$ curl 'http://myhost:7557/files/'
```

**Get Provisions Details:**
```bash
$ curl 'http://myhost:7557/provisions/'
```

Additionally, files can be downloaded directly from the file server (Port 7567) without authentication:
```bash
wget 'http://myhost:7567/SCR-20250623-qjoi.png'
```

### Vulnerability 2: JS Sandbox Escape (Pre/Post Auth RCE)
A test debug endpoint inside a sandbox restricts direct access to the Node.js `process` object. However, bypassing this restriction is possible via object traversal, specifically using the constructor chain (e.g., `constructor.constructor`).

By calling this on available objects (like `declare`), attackers can escape the sandbox context and gain access to the global `process` object. This grants the ability to read environment variables and execute arbitrary commands.

#### Attack Vectors for RCE
1. **Post-Auth RCE:**
   Provision scripts can be executed directly via the API endpoint `/api/devices/{device_id}/tasks` to achieve a shell. Requests sent through the NBI alone are queued but not executed immediately.

2. **Pre-Auth RCE (Unauthenticated RCE):**
   Using the NBI API, an attacker can create provisions and presets without authentication. The preset serves to run provision scripts automatically when a device sends an event through the CWMP interface.

   **Steps to Exploit:**
   * **Step 1:** Create a malicious provision via `PUT /provisions/{provision_name}`.
   * **Step 2:** Create a preset mapping to the provision via `PUT /presets/{preset_name}` (linking it to an event like "Periodic").
   * **Step 3:** Simulate a device by sending a Device Inform SoapXPC message to the CWMP interface to trigger the event and activate the preset. Subsequent inform requests (like event "2 PERIODIC") will execute the payload.

## Features of This PoC

- Automatic malicious Provision creation via NBI API
- Automatic Preset configuration mapping
- CPE device simulation and automated CWMP wrapper
- Reliable Node.js Sandbox Escape using `declare.constructor.constructor`
- Reverse shell payload execution targetting Linux hosts

## Usage

Prior to running the exploit, update the `ACS_URL`, `NBI_URL`, `LHOST`, and `LPORT` configurations directly within `exploit.py` to match your environment and attacker machine settings.

```bash
# Start listener on your attacker machine
nc -lvnp 4444

# Run the exploit
python3 exploit.py
```

![alt text]()

## Requirements

- Python 3.6+
- `requests` library (`pip install requests`)

## Legal & Ethical Notice

**This code is provided for educational and authorized security testing purposes only.**  
Unauthorized use against systems you do not own or have explicit permission to test is illegal and unethical.

## References

- [GenieACS Documentation](https://genieacs.com/docs/)
- CVE-2025-56015 Advisory

## Credits

Vulnerabilities discovered and exploit developed by:
- Thanasin Luangpipat
- Natchanon Jaengsuwan
- Navapon Premkasem
- Suebpong Sittichotpong

From **Datafarm Co., Ltd.**

---


  Developed by DF Pentest Team โ€ข Thailand