CVE-2025-44163
BaseFortify
Publication date: 2025-06-27
Last updated on: 2025-11-10
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| raspap | raspap-webgui | 3.3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-44163 is a vulnerability in RaspAP WebGUI version 3.3.1 where an authenticated attacker can exploit a directory traversal flaw in the 'entity' POST parameter of the file '/ajax/networking/get_wgkey.php'. The parameter is used unsafely in a shell command to generate WireGuard keys, allowing the attacker to overwrite arbitrary files writable by the web server user by injecting path traversal sequences. This can lead to overwriting critical files such as web application PHP files, potentially causing site defacement, denial of service, or remote code execution if malicious code is written. [1]
How can this vulnerability impact me? :
This vulnerability allows an authenticated user to overwrite any file writable by the web server user ('www-data') by sending a crafted POST request. The impacts include site defacement by replacing frontend PHP files with arbitrary data, denial of service by corrupting essential files, and potentially remote code execution if the attacker writes executable PHP code. It requires no shell access and can be exploited with a single request, making it a high-impact vulnerability in environments where multiple users have access. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for authenticated POST requests to the endpoint `/ajax/networking/get_wgkey.php` containing suspicious `entity` parameter values that include path traversal sequences such as `../` or spaces. For example, you can use web server access logs or network monitoring tools to search for POST requests with `entity` parameters containing `../` or other unusual characters. A sample command to search web server logs might be: `grep -i 'POST /ajax/networking/get_wgkey.php' /var/log/apache2/access.log | grep 'entity=..'`. Additionally, checking for unexpected modifications to critical web files (e.g., `/var/www/html/index.php`) by comparing file hashes or timestamps can help detect exploitation. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restricting access to the RaspAP WebGUI to trusted users only, as the vulnerability requires authentication. 2) Applying input validation to the `entity` parameter to allow only alphanumeric characters, underscores, and hyphens, and disallowing path traversal characters such as `../` and spaces. 3) Replacing the use of `escapeshellcmd()` with `escapeshellarg()` in the code to properly sanitize shell arguments. 4) Avoiding the use of shell commands for key generation and instead using native PHP APIs. If a patch or updated version of RaspAP is available that addresses this issue, apply it promptly. Also, monitor and restore any overwritten files from backups if exploitation is suspected. [1]