Cyber Resilience

CVE-2025-34087

CriticalPublic PoCRCE

Published: 03 July 2025

Published
03 July 2025
Modified
01 October 2025
KEV Added
Patch
CVSS Score v4 9.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.7218 98.8th percentile
Risk Priority 61 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34087 is a critical-severity OS Command Injection (CWE-78) vulnerability in Pi-Hole Pi-Hole. Its CVSS base score is 9.0 (Critical).

Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

An authenticated command injection vulnerability affects Pi-hole versions up to 3.3 in the legacy AdminLTE web interface. When a domain is added to the allowlist, the domain parameter is not sanitized, permitting an attacker to append operating system commands that execute with the privileges of the Pi-hole service user. The issue is tracked as CWE-78 and carries a CVSS 4.0 score of 9.0.

An attacker with a valid account on the web interface can supply a crafted domain string containing shell metacharacters. Successful exploitation grants arbitrary command execution on the underlying host, enabling full control over DNS filtering configuration and potential lateral movement or persistence within the network.

The vulnerability was addressed in the Pi-hole web interface release v4.0. Public references, including the Pulse Security advisory and the VulnCheck entry, recommend upgrading to a patched version and restricting administrative access to the web interface.

A Metasploit module for the flaw is publicly available, and the EPSS score has reached 0.7218.

EU & UK References

Vulnerability details

An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain parameter is not properly sanitized, allowing an attacker to append OS commands to the domain…

more

string. These commands are executed on the underlying operating system with the privileges of the Pi-hole service user. This behavior was present in the legacy AdminLTE interface and has since been patched in later versions.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pi-hole
pi-hole
≤ 3.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References