CVE-2025-34112
published 2025-07-15CVE-2025-34112: An authenticated multi-stage remote code execution vulnerability exists in Riverbed SteelCentral NetProfiler and NetExpress 10.8.7 virtual appliances. A SQL…
PriorityP275critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
2.00%
78.2th percentile
An authenticated multi-stage remote code execution vulnerability exists in Riverbed SteelCentral NetProfiler and NetExpress 10.8.7 virtual appliances. A SQL injection vulnerability in the '/api/common/1.0/login' endpoint can be exploited to create a new user account in the appliance database. This user can then trigger a command injection vulnerability in the '/index.php?page=licenses' endpoint to execute arbitrary commands. The attacker may escalate privileges to root by exploiting an insecure sudoers configuration that allows the 'mazu' user to execute arbitrary commands as root via SSH key extraction and command chaining. Successful exploitation allows full remote root access to the virtual appliance.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| riverbed_technology | steelcentral_netexpress | — | — |
| riverbed_technology | steelcentral_netprofiler | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for POST requests to '/api/common/1.0/login' containing SQL injection payloads (e.g., quote characters, UNION/INSERT statements) indicative of attempts to create rogue user accounts in the appliance database. ↗
- →Monitor for authenticated requests to '/index.php?page=licenses' containing shell metacharacters or command injection sequences, which may indicate exploitation of the command injection vulnerability. ↗
- →Alert on 'mazu' user executing commands via sudo, particularly involving SSH key extraction and command chaining, as this is the privilege escalation path to root. ↗
- →Detect multi-stage attack chains: SQL injection on login endpoint → new user creation → command injection on licenses page → sudo privilege escalation by 'mazu' user. Correlate these events across web and system logs. ↗
- →Look for unexpected new user accounts created in the application database following anomalous login endpoint activity, as SQL injection is used specifically to insert a malicious user. ↗
- ·The insecure sudoers configuration granting the 'mazu' user unrestricted sudo rights is a prerequisite for the privilege escalation stage; hardening this configuration breaks the root escalation chain. ↗
- ·Exploitation requires authentication (the SQL injection is used to first create a valid user), meaning the full RCE chain is multi-stage and depends on the attacker successfully completing the SQL injection step before the command injection step. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/riverbed_netprofiler_netexpress_exec.rbhttps://support.riverbed.com/content/support/software/steelcentral-npm/net-profiler.htmlhttps://www.exploit-db.com/exploits/40108https://www.vulncheck.com/advisories/riverbed-steel-central-net-profiler-net-express-rce
2025-07-15
Published