CVE-2025-5095 — AI Deep Analysis Summary

🚨 **Essence**: A critical **Access Control Error** in Burk Technology ARC Solo. The password change mechanism fails to verify identity properly.…

🛡️ **Root Cause**: **CWE-306** (Missing Authentication for Critical Function). The flaw lies in the **password reset/change logic**, which does not strictly validate the user's identity before allowing changes.

🏢 **Affected Vendor**: Burk Technology. 📦 **Product**: ARC Solo (IP-based remote monitoring & control system). ⚠️ **Version**: Specifically affects versions **older than 1.0.60**.

💀 **Attacker Capabilities**: Full **Device Takeover**. Due to CVSS 3.1 High severity (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), attackers gain **High Confidentiality, Integrity, and Availability** impact.…

🔓 **Exploitation Threshold**: **LOW**. The CVSS vector shows **AV:N** (Network), **AC:L** (Low Complexity), **PR:N** (No Privileges Required), and **UI:N** (No User Interaction).…

🔥 **Public Exploit**: **YES**. A Python POC is available on GitHub (TeteuXD2). It involves editing `Login.htm` and `post.json` to target the victim's IP/Port. ⚠️ **Warning**: Works only on versions < 1.0.60.

🔍 **Self-Check**: 1. Identify if you run Burk ARC Solo. 2. Check version number (must be < 1.0.60). 3. Use the provided GitHub POC script to test if the password change endpoint is vulnerable to identity bypass.

🩹 **Official Fix**: Update to **version 1.0.60 or higher**. The POC explicitly states it does not work on newer versions, implying the fix is in the updated firmware/software release.

🚧 **No Patch Workaround**: If you cannot update immediately: 1. **Isolate** the device from the public internet. 2. Restrict access via **Firewall rules** to trusted IPs only. 3.…

⚡ **Urgency**: **CRITICAL**. With CVSS High severity and public POCs, this is an active threat. Prioritize patching to **v1.0.60+** immediately to prevent remote device takeover.