CVE-2025-34312
Published: 28 October 2025
Description
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Security Summary
CVE-2025-34312 is a command injection vulnerability (CWE-78) affecting IPFire versions prior to 2.29 Core Update 198. The flaw resides in the urlfilter.cgi component, where the BE_NAME parameter is processed during blacklist installation via an HTTP POST request. This parameter is directly interpolated into a shell command without proper sanitization, enabling attackers to inject shell metacharacters and execute arbitrary commands as the 'nobody' user. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity and no user interaction required. By crafting a malicious BE_NAME value during blacklist installation, the attacker achieves remote code execution as the 'nobody' user, potentially leading to high confidentiality, integrity, and availability impacts, such as data exfiltration, file manipulation, or denial-of-service within the restricted user context.
IPFire addressed the issue in version 2.29 Core Update 198, as detailed in the official release announcement. Security practitioners should update affected systems immediately, per advisories from IPFire's Bugzilla (ID 13887) and VulnCheck, which confirm the patch sanitizes the BE_NAME input to prevent injection. No workarounds are specified beyond applying the update.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a command injection (CWE-78) in a CGI script, directly enabling arbitrary Unix shell command execution (T1059.004) as the 'nobody' user and exploitation of a remote web service (T1210).