AK-Nord USB-Server-LXL Privilege Escalation via Lighttpd Script (CVE-2025-52361)

Key Information CVE ID: CVE-2025-52361 CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Recommended CVSS Score: 7.0 (High) Product: USB-Server-LXL Vendor: AK-Nord GmbH Affected Versions: v8.0.0.16 Build 2023-03-13 and earlier Vulnerability Overview Description: A low-privileged "admin" user account can exploit SSH access on the IoT device "USB-Server-LXL" to modify the script, which is executed by root during system restarts, leading to arbitrary code execution and gaining root privileges. Vulnerability Details 1. The device supports two SSH login users: "root" (high privilege) and "admin" (low privilege). The "admin" user requires a password for login, which defaults to "ak-nord". 2. All scripts in the directory are owned by root, except for the script that controls the web server, which is owned by "admin". This allows editing the file using "vi". 3. Arbitrary commands can be inserted into the script, preferably after line 7, which executes regardless of the parameters provided. 4. These commands will execute when the script is manually started by root or during every system reboot. 5. This ultimately results in arbitrary code execution with root privileges. Background The vulnerability was discovered during a penetration test conducted by msg systems for a third party using the device in a logistics center. AK-Nord GmbH is a German small-to-medium enterprise providing a wide range of IT-related electronic products and systems for industrial environments, specializing in network-enabled adapters. The USB-Server-LXL is designed to host hardware USB devices and integrate them into standard IP networks via Ethernet. Timeline June 2, 2025: Vulnerability detected during penetration testing June 4, 2025: Full penetration test report sent to third-party client June 12, 2025: Excerpt of penetration test report containing this vulnerability sent to the manufacturer June 19, 2025: Manufacturer received the report and provided a patch June 23, 2025: MITRE began processing the new CVE July 8, 2025: MITRE responded and assigned CVE-ID

Goal Reached Thanks to every supporter — we hit 100%!

AK-Nord USB-Server-LXL Privilege Escalation via Lighttpd Script (CVE-2025-52361)

More from this source