POC for CVE-2025-10352: An unauthenticated endpoint in Melis Platform (melis-core) that allows creation of an administrator account via a crafted HTTP request to a specific admin endpoint.
- 📄 CVE-2025-10352 on MITRE
- 📄 Melis Platform Warning on INCIBE (Spanish National Cybersecurity Institute)
- 📄 PoC:
CVE-2025-10352-POC.txt(raw HTTP request exported from Burp)
This PoC targets an unauthenticated administrative endpoint in the melis-core module:
/melis/MelisCore/ToolUser/addNewUser
A remote unauthenticated attacker can submit a crafted request to this endpoint to create a new user with administrator privileges. Because the endpoint lacks proper authentication and authorization checks, the attacker gains persistent administrative access to the application.
Impact includes:
- Creation of persistent admin accounts.
- Full administrative takeover of the web application.
- Potential lateral movement, data exfiltration, and destructive actions.
- Burp Suite (recommended) or any HTTP proxy that accepts raw HTTP requests.
curl,nc/netcat, orsocatfor manual testing if you prefer CLI.- Access to
CVE-2025-10352-POC.txt(raw HTTP request exported from Burp). - Authorization to test the target system (see legal notice).
- Open Burp → Repeater.
- Open
CVE-2025-10352-POC.txt, copy the raw HTTP request. - Paste into a new Repeater tab, set the proper host and press Send.
- Check response for success (200/201/302 or JSON/text confirming creation).
- Attempt login with the created credentials or confirm via the user listing endpoint.
This document is for authorized security testing and remediation only. Do not use the PoC or reproduction steps against systems you do not own or do not have explicit permission to test. The author is not responsible for misuse.
Made with ❤️ by Manuel Iván San Martín Castillo