cbcvebase.
CVE-2025-34311
published 2025-10-28

CVE-2025-34311: IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands…

PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
13.78%
96.0th percentile
IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user 'nobody' via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the 'nobody' user.

Affected

3 ranges
VendorProductVersion rangeFixed in
ipfire.orgipfire< 2.29 (Core Update 198)2.29 (Core Update 198)
ipfireipfire< 2.292.29
ipfireipfire

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/logs.cgi/calamaris.dat
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS IPFire calamaris.dat Multiple Parameters Command Injection Attempt (CVE-2025-34311)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:31; content:"/cgi-bin/logs.cgi/calamaris.dat"; fast_pattern; http.request_body; pcre:"/(?:(?:DAY|MONTH|YEAR)_(?:BEGIN|END)|NUM_(?:CONTENT|HOSTS|URLS|DOMAINS)|HIST_LEVEL|PERF_INTERVAL|BYTE_UNIT)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,bugzilla.ipfire.org/attachment.cgi?id=1663; reference:cve,2025-34311; classtype:attempted-admin; sid:2065594; rev:1; metadata:affected_product IPFire, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_10_30, cve CVE_2025_34311, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_10_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Monitor for HTTP POST requests to the exact URI /cgi-bin/logs.cgi/calamaris.dat (bsize:31) — any such POST is scoped to the Proxy report functionality and is the attack entry point.
  • Inspect POST body parameters DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT for shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), dollar sign ($/%24).
  • The Snort/Suricata PCRE pattern for body detection is: /(?:(?:DAY|MONTH|YEAR)_(?:BEGIN|END)|NUM_(?:CONTENT|HOSTS|URLS|DOMAINS)|HIST_LEVEL|PERF_INTERVAL|BYTE_UNIT)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/
  • Exploitation requires prior authentication; correlate alerts with authenticated sessions to the IPFire web UI to prioritise triage.
  • Resulting command execution runs as OS user 'nobody'; look for unexpected child processes spawned by the mkreport helper or web server process under that UID.
  • ·The Snort/Suricata rule (sid:2065594) uses tls_state plaintext metadata, meaning it will NOT fire on TLS-encrypted traffic to the IPFire admin interface. Ensure traffic is inspected in-line or that TLS inspection is enabled.
  • ·The URI bsize:31 constraint in the rule exactly matches the 31-byte string /cgi-bin/logs.cgi/calamaris.dat; any URL encoding or path traversal variation of the URI will evade this check.
  • ·Affected versions are IPFire prior to 2.29 Core Update 198; the rule metadata scopes deployment to both Perimeter and Internal, so sensors should be placed accordingly.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.