CVE-2025-34116
BaseFortify
Publication date: 2025-07-15
Last updated on: 2025-07-15
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ipfire | ipfire | * |
| ipfire | proxy.cgi | * |
| ipfire | ipinfo.cgi | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-34116 is a critical remote command execution vulnerability in IPFire versions prior to 2.19 Core Update 101. It arises from a command injection flaw in the 'proxy.cgi' CGI interface, where an authenticated attacker can inject arbitrary shell commands through crafted values in the NCSA user creation form fields. This vulnerability is combined with a reflected Cross-Site Scripting (XSS) flaw in another CGI script ('ipinfo.cgi'), which allows bypassing the referer-based CSRF protection. By exploiting the XSS, an attacker can perform authenticated POST requests to 'proxy.cgi' with malicious payloads, leading to command execution with web server privileges. The exploit can result in a full reverse shell on the IPFire system, enabling complete control over the firewall/router. [1, 3, 5]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including allowing an attacker to remotely execute arbitrary commands on the IPFire firewall system with web server privileges. Through a chained exploit involving XSS and CSRF bypass, an attacker can gain a full reverse shell, effectively taking control of the firewall. This can lead to unauthorized access, manipulation of firewall rules, interception or disruption of network traffic, and compromise of the entire network infrastructure protected by the firewall. The attacker can perform these actions remotely, requiring only that the attacker be authenticated or able to trick an authenticated administrator into executing malicious code. [1, 3, 4, 5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be performed by verifying the IPFire version and core update number to confirm if it is below 2.19 Core Update 101, which is vulnerable. Specifically, sending a GET request to /cgi-bin/pakfire.cgi and parsing the response for the version and core update number can confirm vulnerability. Additionally, testing for the presence of the vulnerable proxy.cgi endpoint by sending crafted POST requests with injected payloads in the NCSA_PASS and NCSA_PASS_CONFIRM parameters can help detect exploitation attempts. For example, using curl to send a POST request to /cgi-bin/proxy.cgi with injected commands such as '||touch /tmp/x;#' in the password fields and then checking for the creation of /tmp/x on the system can indicate vulnerability. Also, monitoring for unusual files like /tmp/x or unexpected reverse shell connections can be indicators. The Metasploit module for this vulnerability includes a check method that performs such version detection and can be used as a detection tool. [4, 5, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade IPFire to version 2.19 Core Update 101 or later, as this update contains patches that fix the remote command execution and cross-site scripting vulnerabilities. Applying this update removes the unsafe command execution in proxy.cgi and improves input sanitization and CSRF protections. Until the update can be applied, restrict access to the IPFire web interface (port 444) to trusted administrators only, enforce strong authentication, and monitor for suspicious activity. Avoid clicking on untrusted links that could trigger the XSS and CSRF bypass. If possible, disable or limit the use of the vulnerable CGI scripts. Using network-level protections such as firewall rules to limit access to the management interface can also reduce risk. [2, 5, 1]