CVE-2025-50428
BaseFortify
Publication date: 2025-08-27
Last updated on: 2025-09-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| raspap | raspap-webgui | to 3.3.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-50428 is an authenticated OS command injection vulnerability in RaspAP raspap-webgui version 3.3.2 and earlier. It occurs because the 'interface' parameter in the includes/hostapd.php script is not properly sanitized before being used in shell commands. An authenticated user can exploit this by injecting malicious shell commands through the interface parameter, which are then executed on the system, potentially compromising it. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker to execute arbitrary OS commands on the affected system. This can lead to unauthorized actions such as creating or modifying files, disrupting network configurations, or gaining further access to the system. The impact includes potential loss of confidentiality, integrity, and availability of the device running RaspAP, as indicated by its high CVSS score of 8.6. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the RaspAP raspap-webgui version 3.3.2 or earlier is running and if the includes/hostapd.php script is vulnerable to command injection via the interface parameter. One practical detection method is to test the /hostapd_conf endpoint by sending an authenticated POST request with a crafted interface parameter containing a harmless command injection payload (e.g., `'; touch /tmp/testfile`). If the file /tmp/testfile is created on the system, the vulnerability exists. Additionally, you can list network interfaces on the system using the command `ip -o link show` to verify if interface validation is implemented. Monitoring for unexpected files or commands executed via the interface parameter can also indicate exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Applying the official patch that introduces interface validation by implementing a function to check if the provided interface exists among real network interfaces (e.g., by parsing `ip -o link show` output). 2) Ensuring all uses of the interface parameter in shell commands are sanitized using PHP's `escapeshellarg()` function to prevent command injection. 3) Updating the raspap-webgui to a version including the fix merged on April 25, 2025 (after PR #1833). If patching is not immediately possible, restrict access to the /hostapd_conf endpoint to trusted users only and monitor for suspicious activity related to interface parameter usage. [1, 2]