cbcvebase.
CVE-2025-32813
published 2025-05-22

CVE-2025-32813: An issue was discovered in Infoblox NETMRI before 7.6.1. Remote Unauthenticated Command Injection can occur.

PriorityP182high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
43.04%
98.6th percentile
An issue was discovered in Infoblox NETMRI before 7.6.1. Remote Unauthenticated Command Injection can occur.

Affected

1 ranges
VendorProductVersion rangeFixed in
infobloxnetmri< 7.6.17.6.1

Detection & IOCsextracted from sources · hover to see the quote

url/webui/application/get_saml_request?saml_id=1%26$(id|%20base64);
path/webui/application/get_saml_request
commandsaml_id=1%26$(id|%20base64);
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Infoblox NetMRI get_saml_request saml_id parameter Command Injection Attempt (CVE-2025-32813)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/webui/application/get_saml_request|3f|"; fast_pattern; startswith; content:"saml_id|3d|"; pcre:"/^.*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,rhinosecuritylabs.com/research/infoblox-multiple-cves/; reference:cve,2025-32813; classtype:attempted-admin; sid:2062741; rev:1; metadata:affected_product Infoblox, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2025_06_04, cve CVE_2025_32813, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_06_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit requests are GET to /webui/application/get_saml_request with shell metacharacters (;, newline, backtick, pipe, $) injected into the saml_id parameter
  • A successful exploitation response returns HTTP 500 with Content-Type application/json and a body containing 'sh', ': command not found', and 'message', indicating command output leakage via error
  • The injected command output (e.g., from `id`) is base64-encoded in the response body; decode and look for uid= and gid= strings to confirm RCE
  • The regex pattern 'sh: (.*?): command' in the HTTP response body can be used to extract and confirm command injection output
  • Snort/Suricata SID 2062741 (ET rule) covers this exploit; deploy on perimeter and internal sensors with TLS decryption enabled for full coverage
  • ·The Snort/Suricata rule requires TLS decryption (tls_state TLSDecrypt) to be effective against HTTPS traffic to NetMRI appliances
  • ·The vulnerability is exploitable without authentication (unauthenticated); no session cookie or credential is required to reach the vulnerable endpoint

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.