Cyber Resilience

CVE-2025-34033

HighPublic PoCRCE

Published: 24 June 2025

Published
24 June 2025
Modified
20 November 2025
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0221 84.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34033 is a high-severity OS Command Injection (CWE-78) vulnerability in 5Vtechnologies Blue Angel Software Suite. Its CVSS base score is 7.7 (High).

Operationally, ranked in the top 15.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

An OS command injection vulnerability affects the Blue Angel Software Suite on embedded Linux devices. The flaw resides in the webctrl.cgi script, where the ping_addr parameter is passed to the system ping command without adequate sanitization, allowing shell metacharacters to alter command execution. The issue is tracked as CWE-78 and carries a CVSS 4.0 score of 7.7.

An authenticated attacker can exploit the vulnerability by sending a crafted GET request to /cgi-bin/webctrl.cgi?action=pingtest_update with shell metacharacters appended to ping_addr. Command output is reflected in the web interface, and default or backdoor credentials are sufficient to reach the endpoint. Successful exploitation grants arbitrary command execution with root privileges on the device.

Exploitation evidence was recorded by the Shadowserver Foundation on 2025-01-26 UTC. The associated EPSS score has remained flat at a peak of 0.0221 with no material increase after disclosure. Public references include an advisory from VulnCheck and Exploit-DB entries 46792 that document the injection vector.

EU & UK References

Vulnerability details

An OS command injection vulnerability exists in the Blue Angel Software Suite running on embedded Linux devices via the ping_addr parameter in the webctrl.cgi script. The application fails to properly sanitize input before passing it to the system-level ping command.…

more

An authenticated attacker can inject arbitrary commands by appending shell metacharacters to the ping_addr parameter in a crafted GET request to /cgi-bin/webctrl.cgi?action=pingtest_update. The command's output is reflected in the application's web interface, enabling attackers to view results directly. Default and backdoor credentials can be used to access the interface and exploit the issue. Successful exploitation results in arbitrary command execution as the root user. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-26 UTC.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

5vtechnologies
blue angel software suite
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References