CVE-2025-34087
Published: 03 July 2025
Summary
CVE-2025-34087 is a critical-severity OS Command Injection (CWE-78) vulnerability in Pi-Hole Pi-Hole. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
An authenticated command injection vulnerability affects Pi-hole versions up to 3.3 in the legacy AdminLTE web interface. When a domain is added to the allowlist, the domain parameter is not sanitized, permitting an attacker to append operating system commands that execute with the privileges of the Pi-hole service user. The issue is tracked as CWE-78 and carries a CVSS 4.0 score of 9.0.
An attacker with a valid account on the web interface can supply a crafted domain string containing shell metacharacters. Successful exploitation grants arbitrary command execution on the underlying host, enabling full control over DNS filtering configuration and potential lateral movement or persistence within the network.
The vulnerability was addressed in the Pi-hole web interface release v4.0. Public references, including the Pulse Security advisory and the VulnCheck entry, recommend upgrading to a patched version and restricting administrative access to the web interface.
A Metasploit module for the flaw is publicly available, and the EPSS score has reached 0.7218.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19902
Vulnerability details
An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain parameter is not properly sanitized, allowing an attacker to append OS commands to the domain…
more
string. These commands are executed on the underlying operating system with the privileges of the Pi-hole service user. This behavior was present in the legacy AdminLTE interface and has since been patched in later versions.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.