CVE-2025-34112
Published: 15 July 2025
Summary
CVE-2025-34112 is a critical-severity OS Command Injection (CWE-78) vulnerability in Githubusercontent (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2025-34112 is a critical multi-stage remote code execution vulnerability affecting Riverbed SteelCentral NetProfiler and NetExpress version 10.8.7 virtual appliances. It chains a SQL injection flaw in the /api/common/1.0/login endpoint, which permits creation of a new database user account, with a subsequent command injection issue in the /index.php?page=licenses endpoint. The chain further leverages an insecure sudoers configuration that allows the mazu user to run arbitrary commands as root through SSH key extraction and command chaining, ultimately granting full system control. The vulnerability carries a CVSS 4.0 score of 10.0 and is associated with CWEs 78, 89, 266, and 306.
An attacker with network access to the appliance can exploit the issues without prior credentials by first injecting SQL to provision an account, then using that account to trigger command execution, and finally escalating to root. Successful exploitation yields complete remote root access to the virtual appliance, enabling arbitrary command execution and full compromise of the device.
Public exploit code is available, including a Metasploit module and an entry on Exploit-DB, while the current EPSS score stands at 0.6859. Riverbed customers should consult the vendor support portal for patches or mitigations applicable to SteelCentral NPM appliances.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21430
Vulnerability details
An authenticated multi-stage remote code execution vulnerability exists in Riverbed SteelCentral NetProfiler and NetExpress 10.8.7 virtual appliances. A SQL injection vulnerability in the '/api/common/1.0/login' endpoint can be exploited to create a new user account in the appliance database. This user…
more
can then trigger a command injection vulnerability in the '/index.php?page=licenses' endpoint to execute arbitrary commands. The attacker may escalate privileges to root by exploiting an insecure sudoers configuration that allows the 'mazu' user to execute arbitrary commands as root via SSH key extraction and command chaining. Successful exploitation allows full remote root access to the virtual appliance.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates inputs to block special elements that would alter OS command execution.
Designation of a manager and policy dissemination ensures privileges are assigned according to defined roles.
Requires established identification and authentication to unlock, mitigating missing authentication for continued system access.
Regular reviews catch incorrect privilege assignments to users, roles, or processes.
Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.
Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.
Explicitly specifying privileges and group/role memberships for accounts reduces the risk of incorrect privilege assignments.
Guarantees critical functions are protected by mandatory invocation of the access control mechanism.