Skip to content

Frozenka/CVE-2025-26318

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

13 Commits
README.md
README.md
Β 
Β 
Tscrap.py
Tscrap.py
Β 
Β 

Repository files navigation

TSplus Remote Access - CVE-2025-26318 (Insecure Permissions Information Disclosure)

πŸ“Œ Description

TSplus is, by default, vulnerable to the disclosure of information from users currently connected to the domain on TSplus.

πŸ” Vulnerability Details

  • CVE ID: CVE-2025-26318
  • Vendor: TSplus
  • Affected Versions: TSplus Remote Access < v17.30
  • Vulnerability Type: Insecure Permissions
  • Impact: Information Disclosure
  • Attack Vector: Remote (Unauthenticated HTTP request)

🚨 Risks

This vulnerability allows attackers to retrieve a list of all domain accounts currently connected to the application.
This can have serious consequences, providing a wealth of exploitable information for highly targeted phishing or vishing attacks.

πŸš€ Proof of Concept (PoC)

This repository contains a script that exploits the TSplus vulnerability.
It retrieves connected users at regular intervals and logs them uniquely into a file to maximize the number of valid users captured from the domain.

πŸ“‚ PoC File: exploit.py

πŸ“Έ PoC Execution Screenshots:

image

image

πŸ”₯ Impact

Attackers can exploit this flaw to:

  • Retrieve a list of all domain accounts logged into the TSplus instance.
  • Use this information for further attacks such as phishing or credential stuffing.
  • Gain reconnaissance data for targeted intrusions.

βœ… Remediation

Following responsible disclosure, the TSplus development team addressed this vulnerability.πŸ“Œ As of October 30, 2024, the vendor has implemented the following fix:

The /cgi-bin/hb.exe endpoint no longer lists usernames.

A new dedicated API endpoint was introduced: /api/loadbalancing/load on port 19955.

This new endpoint requires signed messages with a timestamp for authentication.

Vendor Confirmation (October 30, 2024):

"We have removed the user listing from the endpoint /cgi-bin/hb.exe. A new dedicated endpoint /api/loadbalancing/load on port 19955 has been implemented, which requires signed messages with a timestamp. The fix is available in the beta version of Remote Access."

πŸ—“ Disclosure Timeline

  • [Septembre 2024]: Vulnerability discovered.
  • [16 oct. 2024]: Reported to editor.
  • [24 oct. 2024]: Vendor confirmed the issue.
  • [30 octobre 2024]: Patch released in beta.
  • [28/02/2025]: Public disclosure.

πŸ“œ References

⚠ Disclaimer

This PoC is intended for educational and research purposes only.
Do not exploit systems without explicit permission.

πŸ’‘ If you find this useful, consider starring the repo! ⭐

About

POC CVE-2025-26318

Resources

Readme
Activity

Stars

4 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages