cbcvebase.
CVE-2025-54769
published 2025-07-29

CVE-2025-54769: An authenticated, read-only user can upload a file and perform a directory traversal to have the uploaded file placed in a location of their choosing. This can…

PriorityP270high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.04%
85.9th percentile
An authenticated, read-only user can upload a file and perform a directory traversal to have the uploaded file placed in a location of their choosing. This can be used to overwrite existing PERL modules within the application to achieve remote code execution (RCE) by an attacker.

Affected

2 ranges
VendorProductVersion rangeFixed in
xoruxlpar2rrd<= 8.04
xoruxlpar2rrd

Detection & IOCsextracted from sources · hover to see the quote

url/lpar2rrd-cgi/upgrade.sh
url/lpar2rrd-cgi/users.sh?cmd=commandLinux
filenameusers.pl
path/lpar2rrd-cgi/users.sh
otherupgfile
urlhttp://127.0.0.1/lpar2rrd/index.html?amenu=upgrade&tab=0
  • Alert on GET requests to /lpar2rrd-cgi/users.sh (or any newly appeared .sh/.pl CGI file) with the query parameter cmd=commandLinux, which is the RCE trigger after successful upload.
  • Detect directory traversal in the uploaded filename field ('upgfile') during multipart uploads to the upgrade endpoint — the exploit places the file outside the intended upload directory into a CGI-executable path.
  • Watch for creation of unexpected .pl files (e.g., users.pl) within CGI-accessible directories of the LPAR2RRD installation, which would indicate successful exploitation.
  • Flag upload requests to the upgrade endpoint that include the header 'X-Requested-With: XMLHttpRequest' combined with a multipart Perl file upload (MIME type application/x-perl), as this matches the exploit's exact request fingerprint.
  • Monitor for overwriting of existing PERL modules within the application, which is the described persistence/RCE mechanism for this CVE.
  • ·The vulnerability requires an authenticated session (read-only user privilege is sufficient); unauthenticated exploitation is not possible. Detection should account for the Authorization header being present in exploit requests.
  • ·The exploit supports both HTTP and HTTPS and configurable ports (defaulting to 80/443); detection rules should not be limited to a single protocol or port.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.