cbcvebase.
CVE-2025-34300
published 2025-07-16

CVE-2025-34300: A template injection vulnerability exists in Sawtooth Software’s Lighthouse Studio versions prior to 9.16.14 via the ciwweb.pl http://ciwweb.pl/ Perl web…

PriorityP193critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
49.42%
98.7th percentile
A template injection vulnerability exists in Sawtooth Software’s Lighthouse Studio versions prior to 9.16.14 via the ciwweb.pl http://ciwweb.pl/ Perl web application. Exploitation allows an unauthenticated attacker can execute arbitrary commands.

Affected

1 ranges
VendorProductVersion rangeFixed in
sawtooth_softwarelighthouse_studio< 9.16.149.16.14

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/ciwweb.pl
url/cgi-bin/ciwweb.pl?hid_javascript=1&hid_Random_ACARAT=
otherhid_Random_ACARAT
sigma
shodan-query: html:"Lighthouse Studio"
  • Exploit requests target GET /cgi-bin/ciwweb.pl with parameters hid_javascript=1 and hid_Random_ACARAT containing template injection payload in the form [%25...%25] (Perl eval brackets). Detect HTTP requests to this endpoint with hid_Random_ACARAT values containing bracket-percent sequences.
  • Successful exploitation is confirmed when the HTTP 200 response body contains name="hid_Random_ACARAT" value="<computed_result>", indicating server-side Perl eval executed the injected arithmetic expression.
  • The vulnerability is rooted in unsafe use of Perl's eval() function in ciwweb.pl CGI component. Monitor for unexpected process spawning from the web server process (e.g., perl, ciwweb.pl) executing system commands.
  • The vulnerability is pre-authentication (no session/auth cookie required). Any unauthenticated request to /cgi-bin/ciwweb.pl with hid_Random_ACARAT containing [% ... %] template syntax should be treated as a potential exploitation attempt.
  • Metasploit module exists for this CVE at modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb. Correlate IDS/WAF alerts with known Metasploit User-Agent strings or scan patterns against /cgi-bin/ciwweb.pl.
  • ·The nuclei template uses randomized integers for num1 and num2 (rand_int 40000–44800) and verifies exploitation by checking the product in the response body. Detection rules based on static payload values will miss this; pattern-match on the [%25 ... %25] bracket-percent structure in the hid_Random_ACARAT parameter instead.
  • ·The hid_Random_ACARAT parameter is submitted twice in the exploit request (once with the payload, once with value 'x'). Detection logic should account for duplicate parameter submission as an additional signal.
  • ·Only Lighthouse Studio versions prior to 9.16.14 are vulnerable. Ensure version fingerprinting is part of triage to reduce false positives on patched instances.

CVSS provenance

nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.