CVE-2025-54769
published 2025-07-29CVE-2025-54769: An authenticated, read-only user can upload a file and perform a directory traversal to have the uploaded file placed in a location of their choosing. This can…
PriorityP270high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.04%
85.9th percentile
An authenticated, read-only user can upload a file and perform a directory traversal to have the uploaded file placed in a location of their choosing. This can be used to overwrite existing PERL modules within the application to achieve remote code execution (RCE) by an attacker.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xorux | lpar2rrd | <= 8.04 | — |
| xorux | lpar2rrd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on GET requests to /lpar2rrd-cgi/users.sh (or any newly appeared .sh/.pl CGI file) with the query parameter cmd=commandLinux, which is the RCE trigger after successful upload. ↗
- →Detect directory traversal in the uploaded filename field ('upgfile') during multipart uploads to the upgrade endpoint — the exploit places the file outside the intended upload directory into a CGI-executable path. ↗
- →Watch for creation of unexpected .pl files (e.g., users.pl) within CGI-accessible directories of the LPAR2RRD installation, which would indicate successful exploitation. ↗
- →Flag upload requests to the upgrade endpoint that include the header 'X-Requested-With: XMLHttpRequest' combined with a multipart Perl file upload (MIME type application/x-perl), as this matches the exploit's exact request fingerprint. ↗
- →Monitor for overwriting of existing PERL modules within the application, which is the described persistence/RCE mechanism for this CVE. ↗
- ·The vulnerability requires an authenticated session (read-only user privilege is sufficient); unauthenticated exploitation is not possible. Detection should account for the Authorization header being present in exploit requests. ↗
- ·The exploit supports both HTTP and HTTPS and configurable ports (defaulting to 80/443); detection rules should not be limited to a single protocol or port. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2025-07-29
Published