CVE-2025-34311

HIGH EPSS 96.0%
Published Oct 28, 20258mo ago · Modified Jun 17, 20262w ago
8.7 CVSS 4.0
High
Find Similar
Published Oct 28, 2025 8mo ago
Last Modified Jun 17, 2026 2w ago

Description

IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user 'nobody' via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the 'nobody' user.

CVSS Details

Base Score
8.7
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
96.0% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-78 OS Command Injection Injection

Affected Products 16

VendorProductVersionRange
ipfireipfire* <2.29
ipfireipfire2.29any
ipfireipfire2.29any
ipfireipfire2.29any
ipfireipfire2.29any
ipfireipfire2.29any
ipfireipfire2.29any
ipfireipfire2.29any
ipfireipfire2.29any
ipfireipfire2.29any
ipfireipfire2.29any
ipfireipfire2.29any
ipfireipfire2.29any
ipfireipfire2.29any
ipfireipfire2.29any
ipfireipfire2.29any

References 3

  • bugzilla.ipfire.org https://bugzilla.ipfire.org/show_bug.cgi?id=13886
    Issue TrackingThird Party Advisory
  • ipfire.org https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released
    Release Notes
  • vulncheck.com https://www.vulncheck.com/advisories/ipfire-command-injection-via-proxy-report-creation
    Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.