Cyberforce 2024: How I found my first CVE OpenPLCV3

Assigned CVE: CVE-2025–1066

For DoE Cyberforce competition we were given a website where we had to find vulnerabilities and protect our networks, inadvertently I found an AFU that led to stored XSS and ATO (Account Take Over).

Cyberforce is a competition hosted by DoE (Department of Energy) where you’re tasked with a blueteam category of protecting your networks and setting up firewall rules and a CTF portion. I was on the CTF team at UCF for Cyberforce (Team B).

One of the pre-competition steps is finding vulnerabilities in a network before we have to harden and protect it. When auditing the OpenPLC3 web source code (written in Python) I noticed that you could upload any file type (AFU) which means HTML, CSS, HTML, .HTACCESS, and ELF files can be uploaded. This means you can reconstruct phishing pages to send to employees and because it’s on the webserver it would be on a trusted domain/server.

However, this vulnerability is only possible authenticated, you need to have logins to the panel. However, what makes this dangerous is you can log in with unsecured credentials, and upload an XSS payload, and even if the password is changed for the account that file will remain on the server. This means you can still send it to employees and be able to steal their authentication session.

The attack scenario allows an attacker to control the PLC devices such as wind turbines or other slave devices and can cause them to shut down, delete configuration files, or upload malicious ones through the XSS. This allows for an account backdoor, the only downside is it requires the user to click the link which then runs the XSS payload, however, as the link is on the trusted domain there’s a higher probability that they will.

Lastly, this can be used to bypass IPtable/network firewalls as a C2. You can upload commands to the server and have slave devices in the internal network communicate to it.

Closing Notes

I did attempt numerous techniques in attempting arbitrary file writes, but was unsuccessful as we were constrained to the /static/ directory. Moreover, even “../..” permutations would be ineffective due to this line of code.