cbcvebase.
CVE-2025-34312
published 2025-10-28

CVE-2025-34312: IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands…

PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.30%
81.1th percentile
IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the 'nobody' user via the BE_NAME parameter when installing a blacklist. When a blacklist is installed the application issues an HTTP POST to /cgi-bin/urlfilter.cgi and interpolates the value of BE_NAME directly into a shell invocation without appropriate sanitation. Crafted input can inject shell metacharacters, leading to arbitrary command execution in the context of the 'nobody' user.

Affected

3 ranges
VendorProductVersion rangeFixed in
ipfire.orgipfire< 2.29 (Core Update 198)2.29 (Core Update 198)
ipfireipfire< 2.292.29
ipfireipfire

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/urlfilter.cgi
urlbugzilla.ipfire.org/attachment.cgi?id=1663
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS IPFire urlfilter.cgi BE_NAME Parameter Command Injection Attempt (CVE-2025-34312)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:22; content:"/cgi-bin/urlfilter.cgi"; fast_pattern; http.request_body; content:"BE_NAME|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,bugzilla.ipfire.org/attachment.cgi?id=1663; reference:cve,2025-34312; classtype:attempted-admin; sid:2065596; rev:1; metadata:affected_product IPFire, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_10_30, cve CVE_2025_34312, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect HTTP POST requests to /cgi-bin/urlfilter.cgi with a BE_NAME parameter body value containing shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24)
  • The URI /cgi-bin/urlfilter.cgi must be exactly 22 bytes; use a strict URI length check (bsize:22) to reduce false positives
  • The injection occurs in the BE_NAME POST body parameter during blacklist installation; the value is interpolated directly into a shell invocation without sanitisation, executing as the 'nobody' user
  • Only plaintext (non-TLS) traffic is in scope for this rule; the metadata field tls_state is set to plaintext
  • ·Exploitation requires prior authentication; unauthenticated attackers cannot reach the vulnerable parameter
  • ·The vulnerability is fixed in IPFire 2.29 (Core Update 198); all prior versions are affected
  • ·The Snort/Suricata rule (sid:2065596) is scoped to perimeter and internal deployment and targets plaintext HTTP only; HTTPS-wrapped traffic to the management interface will not be detected by this rule

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.