CVE-2025-34300
published 2025-07-16CVE-2025-34300: A template injection vulnerability exists in Sawtooth Software’s Lighthouse Studio versions prior to 9.16.14 via the ciwweb.pl http://ciwweb.pl/ Perl web…
PriorityP193critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
49.42%
98.7th percentile
A template injection vulnerability exists in Sawtooth Software’s Lighthouse Studio versions prior to 9.16.14 via the ciwweb.pl http://ciwweb.pl/ Perl web application. Exploitation allows an unauthenticated attacker can execute arbitrary commands.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sawtooth_software | lighthouse_studio | < 9.16.14 | 9.16.14 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
shodan-query: html:"Lighthouse Studio"
- →Exploit requests target GET /cgi-bin/ciwweb.pl with parameters hid_javascript=1 and hid_Random_ACARAT containing template injection payload in the form [%25...%25] (Perl eval brackets). Detect HTTP requests to this endpoint with hid_Random_ACARAT values containing bracket-percent sequences. ↗
- →Successful exploitation is confirmed when the HTTP 200 response body contains name="hid_Random_ACARAT" value="<computed_result>", indicating server-side Perl eval executed the injected arithmetic expression. ↗
- →The vulnerability is rooted in unsafe use of Perl's eval() function in ciwweb.pl CGI component. Monitor for unexpected process spawning from the web server process (e.g., perl, ciwweb.pl) executing system commands. ↗
- →The vulnerability is pre-authentication (no session/auth cookie required). Any unauthenticated request to /cgi-bin/ciwweb.pl with hid_Random_ACARAT containing [% ... %] template syntax should be treated as a potential exploitation attempt. ↗
- →Metasploit module exists for this CVE at modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb. Correlate IDS/WAF alerts with known Metasploit User-Agent strings or scan patterns against /cgi-bin/ciwweb.pl. ↗
- ·The nuclei template uses randomized integers for num1 and num2 (rand_int 40000–44800) and verifies exploitation by checking the product in the response body. Detection rules based on static payload values will miss this; pattern-match on the [%25 ... %25] bracket-percent structure in the hid_Random_ACARAT parameter instead. ↗
- ·The hid_Random_ACARAT parameter is submitted twice in the exploit request (once with the payload, once with value 'x'). Detection logic should account for duplicate parameter submission as an additional signal. ↗
- ·Only Lighthouse Studio versions prior to 9.16.14 are vulnerable. Ensure version fingerprinting is part of triage to reduce false positives on patched instances. ↗
CVSS provenance
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m8mc-qpg2-g56x: A template injection vulnerability exists in Sawtooth Software’s Lighthouse Studio versions prior to 9
ghsa_unreviewed·2025-07-16
CVE-2025-34300 [CRITICAL] CWE-20 GHSA-m8mc-qpg2-g56x: A template injection vulnerability exists in Sawtooth Software’s Lighthouse Studio versions prior to 9
A template injection vulnerability exists in Sawtooth Software’s Lighthouse Studio versions prior to 9.16.14 via the ciwweb.pl http://ciwweb.pl/ Perl web application. Exploitation allows an unauthenticated attacker can execute arbitrary commands.
VulnCheck
Improper Input Validation
vulncheck·2025·CVSS 10.0
CVE-2025-34300 [CRITICAL] Improper Input Validation
Improper Input Validation
A template injection vulnerability exists in Sawtooth Software’s Lighthouse Studio versions prior to 9.16.14 via the ciwweb.pl http://ciwweb.pl/ Perl web application. Exploitation allows an unauthenticated attacker can execute arbitrary commands.
Affected: Sawtooth Software Lighthouse Studio
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-34300
Exploit PoC: https://vulncheck.com/xdb/957ea3f7ec19
No detection rules found.
Metasploit
Template Injection Vulnerability in Sawtooth Software's Lighthouse Studio (CVE-2025-34300)
metasploit·CVSS 10.0
CVE-2025-34300 [CRITICAL] Template Injection Vulnerability in Sawtooth Software's Lighthouse Studio (CVE-2025-34300)
Template Injection Vulnerability in Sawtooth Software's Lighthouse Studio (CVE-2025-34300)
This module exploits a template injection vulnerability in the Sawtooth Software Lighthouse Studio's `ciwweb.pl` web application. The application fails to properly sanitize user input within survey templates, allowing unauthenticated attackers to inject and execute arbitrary Perl commands on the target system. This vulnerability affects Lighthouse Studio versions prior to 9.16.14. Successful exploitation may result in remote code execution under the privileges of the web server, potentially exposing sensitive data or disrupting survey operations. An attacker can execute arbitrary system commands in the context of the user running the web server.
Nuclei
SawtoothSoftware Lighthouse Studio < 9.16.14 - Pre-Auth Remote Code Execution
nuclei·CVSS 10.0
CVE-2025-34300 [CRITICAL] SawtoothSoftware Lighthouse Studio < 9.16.14 - Pre-Auth Remote Code Execution
SawtoothSoftware Lighthouse Studio < 9.16.14 - Pre-Auth Remote Code Execution
A pre-authentication remote code execution vulnerability exists in Sawtooth Software’s Lighthouse Studio versions prior to 9.16.14. The issue arises from the unsafe use of the `eval` function within the Perl CGI component `ciwweb.pl`, where attacker-supplied input inside `hid_Random_ACARAT` is directly passed to `eval`. This allows remote unauthenticated attackers to execute arbitrary Perl code on the server.
Template:
id: CVE-2025-34300
info:
name: SawtoothSoftware Lighthouse Studio < 9.16.14 - Pre-Auth Remote Code Execution
author: assetnote,DhiyaneshDK,iamnoooob
severity: critical
description: |
A pre-authentication remote code execution vulnerability exists in Sawtooth Software’s Lighthouse Studio version
https://sawtoothsoftware.com/resources/software-downloads/lighthouse-studio/version-historyhttps://slcyber.io/assetnote-security-research-center/rce-in-the-most-popular-survey-software-youve-never-heard-of/https://www.vulncheck.com/advisories/sawtooth-software-lighthouse-studio-preauthentication-rcehttps://slcyber.io/assetnote-security-research-center/rce-in-the-most-popular-survey-software-youve-never-heard-of/
2025-07-16
Published
Exploited in the wild