CVE-2025-41646 PoC — RevPi Webstatus application is vulnerable to an authentication bypass

Source

https://github.com/r0otk3r/CVE-2025-41646

Associated Vulnerability

Title:RevPi Webstatus application is vulnerable to an authentication bypass (CVE-2025-41646)
Description:An unauthorized remote attacker can bypass the authentication of the affected software package by misusing an incorrect type conversion. This leads to full compromise of the device

Readme

# CVE-2025-41646 - RevPi Webstatus <= 2.4.5 Authentication Bypass Exploit

## Overview

This is a Python3 exploit script for **CVE-2025-41646**, an **Authentication Bypass vulnerability** affecting **RevPi Webstatus <= 2.4.5**.

### Vulnerability Details:

- **CVE ID**: CVE-2025-41646  
- **Affected Product**: RevPi Webstatus <= 2.4.5  
- **Impact**: Remote attackers can bypass authentication and obtain a valid admin session ID.  
- **Vulnerability Type**: Authentication Bypass  
- **Attack Vector**: Remote HTTP POST request to `/php/dal.php`

---

## Features

- Supports **single target** or **mass exploitation** via target list  
- Proxy support (e.g., Burp Suite)  
- Silent mode (prints session ID only)  
- JSON output option  
- Stores valid session IDs in an output file

---

## Usage

### Install requirements:

```bash
pip install -r requirements.txt
```
---

### Requirements:

    requests

    urllib3 (usually comes with requests)

---

### Command Examples:

#### Single Target Exploitation:
```bash
python3 cve_2025_41646_auth_bypass.py -u "http://192.168.1.100"
```
### Multiple Targets (File List):
```bash
python3 cve_2025_41646_auth_bypass.py -l targets.txt
```
### Use Proxy:
```bash
python3 cve_2025_41646_auth_bypass.py -u "http://192.168.1.100" --proxy "http://127.0.0.1:8080"
```
### Silent Mode (Prints only Session ID):
```bash
python3 cve_2025_41646_auth_bypass.py -u "http://192.168.1.100" --silent
```
### JSON Output:
```bash
python3 cve_2025_41646_auth_bypass.py -u "http://192.168.1.100" --json
```
## Script Options
| Option           | Description                                                  |
| ---------------- | ------------------------------------------------------------ |
| `-u`, `--url`    | Target URL (e.g., [http://IP](http://IP))                    |
| `-l`, `--list`   | File containing list of targets                              |
| `-o`, `--output` | Output file to save valid session IDs                        |
| `--proxy`        | Use a proxy ([http://127.0.0.1:8080](http://127.0.0.1:8080)) |
| `--json`         | Print raw JSON output                                        |
| `--silent`       | Silent mode (prints session ID only)                         |

## Output Example

<img width="1894" height="307" alt="exploit" src="https://github.com/user-attachments/assets/009adba6-d408-452e-aa70-f8c2538ec4f9" />

request/response

<img width="1920" height="672" alt="burpsuite" src="https://github.com/user-attachments/assets/9f55af98-c094-4005-b839-0deb4583980b" />


# ⚠️ Disclaimer

This tool is for educational and authorized penetration testing purposes only.
Unauthorized usage against systems without explicit permission is illegal.


## Official Channels

- [YouTube @rootctf](https://www.youtube.com/@rootctf)
- [X @r0otk3r](https://x.com/r0otk3r)

File Snapshot


 [4.0K]  /data/pocs/427b918e7cb85076f8c4327b70aa88c3eeda2678
├── [3.2K]  cve_2025_41646_auth_bypass.py
└── [2.8K]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!