cbcvebase.
CVE-2025-34116
published 2025-07-15

CVE-2025-34116: A remote command execution vulnerability exists in IPFire before version 2.19 Core Update 101 via the 'proxy.cgi' CGI interface. An authenticated attacker can…

PriorityP261high8.7CVSS 4.0
AVNACLATNPRLUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.14%
62.5th percentile
A remote command execution vulnerability exists in IPFire before version 2.19 Core Update 101 via the 'proxy.cgi' CGI interface. An authenticated attacker can inject arbitrary shell commands through crafted values in the NCSA user creation form fields, leading to command execution with web server privileges.

Affected

1 ranges
VendorProductVersion rangeFixed in
ipfire_projectipfire< 2.19 Core Update 1012.19 Core Update 101

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/proxy.cgi
  • Monitor HTTP requests to proxy.cgi containing shell metacharacters or command injection payloads in NCSA user creation form fields (e.g., username/password fields with characters like ;, |, $(), backticks).
  • Target application is IPFire versions prior to 2.19 Core Update 101; presence of proxy.cgi on an IPFire host below this version indicates exploitable attack surface.
  • A Metasploit module exists for this vulnerability (ipfire_proxy_exec.rb); watch for exploitation attempts matching its default payload delivery patterns against proxy.cgi.
  • ·Exploitation requires prior authentication; unauthenticated attackers cannot directly exploit this vulnerability.
  • ·Command execution occurs with web server privileges, not root; post-exploitation privilege escalation may be required for full system compromise.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.