CVE-2025-34087
BaseFortify
Publication date: 2025-07-03
Last updated on: 2025-10-01
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pi-hole | pi-hole | to 3.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-34087 is a critical authenticated command injection vulnerability in Pi-hole versions up to 3.3. It occurs when adding a domain to the allowlist via the web interface, where the domain parameter is not properly sanitized. This allows an attacker with authentication to append arbitrary operating system commands to the domain string, which are then executed with the privileges of the Pi-hole service user. The vulnerability exists in the legacy AdminLTE interface and has been patched in later versions. [1, 2, 4]
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker to execute arbitrary OS commands on the server running Pi-hole with the privileges of the Pi-hole service user. This can lead to remote code execution, potentially compromising the entire system. Additionally, related vulnerabilities in Pi-hole versions prior to 3.3 include privilege escalation to root, cross-site scripting, SQL injection, and authentication bypass, which can further compromise confidentiality, integrity, and availability of the system. [1, 2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Pi-hole installation is running a vulnerable version (up to 3.3) of the AdminLTE interface. One practical method is to verify the Pi-hole web interface version by accessing the whitelist page or using the Metasploit module which performs a version check before exploitation. Additionally, you can monitor for suspicious POST requests to the endpoint `/admin/scripts/pi-hole/php/add.php` with crafted domain parameters containing shell command delimiters like semicolons (`;`). Using the Metasploit module (Resource 1) can automate detection and exploitation attempts. Example commands include sending authenticated POST requests with crafted domain parameters to test command injection, but these require valid credentials and careful handling to avoid disruption. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Pi-hole to a version later than 3.3 where the vulnerability has been patched. Restrict access to the Pi-hole web interface to trusted users only, as the vulnerability requires authentication. Additionally, monitor and restrict network access to the admin interface, and consider applying any vendor patches or updates promptly. If upgrading immediately is not possible, limit privileges of the Pi-hole service user and audit the whitelist input handling. Avoid using the vulnerable legacy AdminLTE interface and disable or restrict the whitelist feature until patched. [2, 4]