CVE-2025-34073
published 2025-07-02CVE-2025-34073: An unauthenticated command injection vulnerability exists in stamparm/maltrail (Maltrail) versions <=0.54. A remote attacker can execute arbitrary operating…
PriorityP181critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
3.88%
88.9th percentile
An unauthenticated command injection vulnerability exists in stamparm/maltrail (Maltrail) versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint. This occurs due to unsafe handling of user-supplied input passed to subprocess.check_output() in core/http.py, allowing injection of shell metacharacters. Exploitation does not require authentication and commands are executed with the privileges of the Maltrail process.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| stamparm | maltrail | <= 0.54 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for POST requests to the /login endpoint containing shell metacharacters (e.g., semicolons, backticks, pipes) in the username parameter, which indicate command injection attempts against Maltrail. ↗
- →Use Shodan query `http.title:"Maltrail"` or FOFA query `app="Maltrail"` to identify exposed Maltrail instances potentially vulnerable to this unauthenticated RCE. ↗
- →Detect exploitation by checking HTTP response headers for the presence of 'Maltrail' alongside out-of-band callback activity (HTTP or DNS) triggered from the server, indicating successful command execution. ↗
- →Exploitation does not require authentication; any unauthenticated POST to /login with a crafted username field should be treated as a high-severity alert on Maltrail versions <= 0.54. ↗
- ·Injected commands execute with the privileges of the Maltrail process, so impact severity depends on the process's OS-level permissions at deployment time. ↗
- ·The vulnerability affects Maltrail versions <= 0.54; the Metasploit module was specifically validated against versions 0.52 and 0.53, so detections should cover the full affected range. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Metasploit
Maltrail Unauthenticated Command Injection
metasploit
Maltrail Unauthenticated Command Injection
Maltrail Unauthenticated Command Injection
Maltrail is a malicious traffic detection system, utilizing publicly available blacklists containing malicious and/or generally suspicious trails. The Maltrail versions <= 0.54 is suffering from a command injection vulnerability. The `subprocess.check_output` function in `mailtrail/core/httpd.py` contains a command injection vulnerability in the `params.get("username")` parameter. An attacker can exploit this vulnerability by injecting arbitrary OS commands into the username parameter. The injected commands will be executed with the privileges of the running process. This vulnerability can be exploited remotely without authentication. Successfully tested against Maltrail versions 0.52 and 0.53.
Nuclei
Maltrail <=0.54 Username Parameter - Remote Command Execution
nuclei·CVSS 10.0
CVE-2025-34073 [CRITICAL] Maltrail <=0.54 Username Parameter - Remote Command Execution
Maltrail <=0.54 Username Parameter - Remote Command Execution
Maltrail versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint.
Template:
id: CVE-2025-34073
info:
name: Maltrail <=0.54 Username Parameter - Remote Command Execution
author: SeungAh-Hong
severity: critical
description: |
Maltrail versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint.
impact: |
Unauthenticated attackers can execute arbitrary operating system commands through the username parameter in the login endpoint, achieving complete server compromise.
remediation: |
Upgrade Maltrail to version 0.55 or later that properly sanitiz
No writeups or analysis indexed.
https://github.com/stamparm/maltrailhttps://github.com/stamparm/maltrail/issues/19146https://huntr.com/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/http/maltrail_rce.rbhttps://vulncheck.com/advisories/stamparm-maltrail-rce
2025-07-02
Published