cbcvebase.
CVE-2025-34087
published 2025-07-03

CVE-2025-34087: An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain…

PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
4.97%
91.1th percentile
An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain parameter is not properly sanitized, allowing an attacker to append OS commands to the domain string. These commands are executed on the underlying operating system with the privileges of the Pi-hole service user. This behavior was present in the legacy AdminLTE interface and has since been patched in later versions.

Affected

2 ranges
VendorProductVersion rangeFixed in
pi-holepi-hole<= 3.3
pi-hole_llcweb<= 3.3

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/pihole_whitelist_exec.rb
  • Monitor HTTP POST requests to the Pi-hole AdminLTE web interface targeting the whitelist/allowlist domain parameter for OS command injection patterns (e.g., semicolons, backticks, pipe characters, or $() subshell syntax appended to a domain string).
  • Alert on process spawning from the Pi-hole service user account that is not consistent with normal DNS/web service activity, as injected commands execute with the privileges of the Pi-hole service user.
  • Flag exploitation attempts targeting Pi-hole versions up to and including 3.3, specifically interactions with the legacy AdminLTE interface whitelist endpoint.
  • A Metasploit module (unix/http/pihole_whitelist_exec) exists for this vulnerability; detect exploitation attempts matching its traffic patterns against Pi-hole web interfaces.
  • ·Exploitation requires prior authentication to the Pi-hole web interface; unauthenticated attackers cannot directly trigger the command injection.
  • ·The vulnerability is limited to Pi-hole <= 3.3 using the legacy AdminLTE interface; later versions are not affected.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.0CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.