CVE-2025-34311
Published: 28 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-34311 is a command injection vulnerability (CWE-78) in IPFire versions prior to 2.29 Core Update 198. The flaw occurs in the Proxy report creation feature, where the application processes an HTTP POST request to /cgi-bin/logs.cgi/calamaris.dat. Parameters including DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT are read and directly interpolated into a shell invocation of the mkreport helper without sanitization for shell metacharacters or improper constructs.
An authenticated attacker with low privileges can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation involves crafting a POST request with injected shell metacharacters into one or more parameters, enabling execution of arbitrary commands as the 'nobody' user. The CVSS 3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability.
IPFire addresses the vulnerability in version 2.29 Core Update 198. Mitigation details are provided in the IPFire Bugzilla entry (https://bugzilla.ipfire.org/show_bug.cgi?id=13886), the Core Update 198 release announcement (https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released), and the VulnCheck advisory (https://www.vulncheck.com/advisories/ipfire-command-injection-via-proxy-report-creation).
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a command injection (CWE-78) in a CGI script that interpolates unsanitized parameters into a shell command (mkreport), directly enabling T1059.004 (Unix Shell). As a remotely exploitable web application flaw, it facilitates T1190 (Exploit Public-Facing Application).