CVE-2025-34082
published 2025-07-03CVE-2025-34082: A command injection vulnerability exists in IGEL OS versions prior to 11.04.270 within the Secure Terminal and Secure Shadow services. The flaw arises due to…
PriorityP277critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
5.28%
91.5th percentile
A command injection vulnerability exists in IGEL OS versions prior to 11.04.270 within the Secure Terminal and Secure Shadow services. The flaw arises due to improper input sanitization in the handling of specially crafted PROXYCMD commands on TCP ports 30022 and 5900. An unauthenticated attacker with network access to a vulnerable device can inject arbitrary commands, leading to remote code execution with elevated privileges.
NOTE: IGEL OS v10.x has reached end-of-life (EOL) status.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| igel_technology_gmbh | os | >= 10 < 10.06.220 | 10.06.220 |
| igel_technology_gmbh | os | >= 11 < 11.04.270 | 11.04.270 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated inbound connections to TCP port 30022 (telnet_ssl_connector / Secure Terminal) on IGEL OS devices, particularly those sending PROXYCMD payloads with shell metacharacters indicative of command injection. ↗
- →Monitor for unauthenticated inbound connections to TCP port 5900 (vnc_ssl_connector / Secure Shadow) on IGEL OS devices carrying malformed or injected PROXYCMD commands. ↗
- →Alert on unexpected process spawning (e.g., shell processes) as children of telnet_ssl_connector or vnc_ssl_connector processes on IGEL OS endpoints, which may indicate successful RCE with elevated privileges. ↗
- →A public Metasploit module exists for this vulnerability (linux/misc/igel_command_injection); correlate IDS/firewall logs for exploit framework signatures targeting IGEL OS on ports 30022 and 5900. ↗
- ·The vulnerability is exploitable by unauthenticated attackers with network access; network-level controls (firewall rules blocking external access to TCP 30022 and 5900) are a critical compensating control until patching. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://kb.igel.com/security-safety/current/isn-2021-01-igel-os-remote-command-execution-vulnehttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/misc/igel_command_injection.rbhttps://vulncheck.com/advisories/igel-os-secure-terminal-shadow-rcehttps://www.igel.com/wp-content/uploads/2021/02/lxos_11.04.270.txt
2025-07-03
Published