CVE-2025-32813
published 2025-05-22CVE-2025-32813: An issue was discovered in Infoblox NETMRI before 7.6.1. Remote Unauthenticated Command Injection can occur.
PriorityP182high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
43.04%
98.6th percentile
An issue was discovered in Infoblox NETMRI before 7.6.1. Remote Unauthenticated Command Injection can occur.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| infoblox | netmri | < 7.6.1 | 7.6.1 |
Detection & IOCsextracted from sources · hover to see the quote
url/webui/application/get_saml_request?saml_id=1%26$(id|%20base64);
path/webui/application/get_saml_request
commandsaml_id=1%26$(id|%20base64);
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Infoblox NetMRI get_saml_request saml_id parameter Command Injection Attempt (CVE-2025-32813)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/webui/application/get_saml_request|3f|"; fast_pattern; startswith; content:"saml_id|3d|"; pcre:"/^.*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,rhinosecuritylabs.com/research/infoblox-multiple-cves/; reference:cve,2025-32813; classtype:attempted-admin; sid:2062741; rev:1; metadata:affected_product Infoblox, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2025_06_04, cve CVE_2025_32813, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_06_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit requests are GET to /webui/application/get_saml_request with shell metacharacters (;, newline, backtick, pipe, $) injected into the saml_id parameter
- →A successful exploitation response returns HTTP 500 with Content-Type application/json and a body containing 'sh', ': command not found', and 'message', indicating command output leakage via error
- →The injected command output (e.g., from `id`) is base64-encoded in the response body; decode and look for uid= and gid= strings to confirm RCE
- →The regex pattern 'sh: (.*?): command' in the HTTP response body can be used to extract and confirm command injection output
- →Snort/Suricata SID 2062741 (ET rule) covers this exploit; deploy on perimeter and internal sensors with TLS decryption enabled for full coverage
- ·The Snort/Suricata rule requires TLS decryption (tls_state TLSDecrypt) to be effective against HTTPS traffic to NetMRI appliances
- ·The vulnerability is exploitable without authentication (unauthenticated); no session cookie or credential is required to reach the vulnerable endpoint
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9888-65w8-vw6m: An issue was discovered in Infoblox NETMRI before 7
ghsa_unreviewed·2025-05-22
CVE-2025-32813 [HIGH] CWE-77 GHSA-9888-65w8-vw6m: An issue was discovered in Infoblox NETMRI before 7
An issue was discovered in Infoblox NETMRI before 7.6.1. Remote Unauthenticated Command Injection can occur.
VulnCheck
infoblox netmri Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2025·CVSS 7.2
CVE-2025-32813 [HIGH] infoblox netmri Improper Neutralization of Special Elements used in a Command ('Command Injection')
infoblox netmri Improper Neutralization of Special Elements used in a Command ('Command Injection')
An issue was discovered in Infoblox NETMRI before 7.6.1. Remote Unauthenticated Command Injection can occur.
Affected: infoblox netmri
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-32813; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2025-32813&date=2025-10-17; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2025-32813&date=2025-10-18; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2025-32813&date=2025-10-19; https://api.vulncheck.com/v3/index/vulncheck-canarie
Suricata
ET WEB_SPECIFIC_APPS Infoblox NetMRI get_saml_request saml_id parameter Command Injection Attempt (CVE-2025-32813)
suricata·2025-06-04·CVSS 7.2
CVE-2025-32813 [HIGH] ET WEB_SPECIFIC_APPS Infoblox NetMRI get_saml_request saml_id parameter Command Injection Attempt (CVE-2025-32813)
ET WEB_SPECIFIC_APPS Infoblox NetMRI get_saml_request saml_id parameter Command Injection Attempt (CVE-2025-32813)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Infoblox NetMRI get_saml_request saml_id parameter Command Injection Attempt (CVE-2025-32813)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/webui/application/get_saml_request|3f|"; fast_pattern; startswith; content:"saml_id|3d|"; pcre:"/^.*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,rhinosecuritylabs.com/research/infoblox-multiple-cves/; reference:cve,2025-32813; classtype:attempted-admin; sid:2062741; rev:1; metadata:affected_product Infoblox, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2025_06_04,
Nuclei
Infoblox NetMRI < 7.6.1 - Unauthenticated Command Injection in get_saml_request
nuclei·CVSS 7.2
CVE-2025-32813 [HIGH] Infoblox NetMRI < 7.6.1 - Unauthenticated Command Injection in get_saml_request
Infoblox NetMRI < 7.6.1 - Unauthenticated Command Injection in get_saml_request
An issue was discovered in Infoblox NETMRI before 7.6.1. Remote Unauthenticated Command Injection can occur.
Template:
id: CVE-2025-32813
info:
name: Infoblox NetMRI < 7.6.1 - Unauthenticated Command Injection in get_saml_request
author: iamnoooob,pdresearch
severity: high
description: |
An issue was discovered in Infoblox NETMRI before 7.6.1. Remote Unauthenticated Command Injection can occur.
impact: |
Unauthenticated attackers can execute arbitrary operating system commands with elevated privileges through the saml_id parameter in the get_saml_request endpoint.
remediation: |
Upgrade to Infoblox NetMRI version 7.6.1 or later that properly sanitizes user input in SAML request handling.
reference:
- https:
2025-05-22
Published
Exploited in the wild