CVE-2025-34098
published 2025-07-10CVE-2025-34098: A path traversal vulnerability exists in Riverbed SteelHead VCX appliances (confirmed in VCX255U 9.6.0a) due to improper input validation in the log filtering…
PriorityP348high7.1CVSS 4.0
AVNACLATNPRLUINVCHVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
0.72%
49.1th percentile
A path traversal vulnerability exists in Riverbed SteelHead VCX appliances (confirmed in VCX255U 9.6.0a) due to improper input validation in the log filtering functionality exposed via the management web interface. An authenticated attacker can exploit this flaw by submitting crafted filter expressions to the log_filter endpoint using the filterStr parameter. This input is processed by a backend parser that permits execution of file expansion syntax, allowing the attacker to retrieve arbitrary system files via the log viewing interface.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| riverbed_technology | steelhead_vcx | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to the management web interface targeting the log_filter endpoint with anomalous or crafted filterStr parameter values, particularly those containing path traversal sequences or file expansion syntax (e.g., glob patterns, `..`, `/etc/`, `/proc/`). ↗
- →A Metasploit auxiliary scanner module exists for this vulnerability (riverbed_steelhead_vcx_file_read.rb); look for scanner/http/riverbed_steelhead_vcx_file_read in exploit framework logs or network traffic patterns consistent with automated file read enumeration against Riverbed SteelHead VCX management interfaces. ↗
- →Scope detection to Riverbed SteelHead VCX255U appliances running version 9.6.0a, as this is the confirmed vulnerable version; prioritize alerting on authenticated sessions making unusual log filter requests on the management interface. ↗
- ·Exploitation requires prior authentication to the management web interface; unauthenticated access alone is insufficient to trigger this vulnerability. ↗
- ·Confirmed vulnerable only on VCX255U running firmware version 9.6.0a; applicability to other VCX models or firmware versions has not been confirmed in available sources. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2025-07-10
Published