Cyber Resilience

CVE-2025-34311

HighPublic PoCRCE

Published: 28 October 2025

Published
28 October 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0043 62.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34311 is a high-severity OS Command Injection (CWE-78) vulnerability in Ipfire Ipfire. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 37.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-34311 is a command injection vulnerability (CWE-78) in IPFire versions prior to 2.29 Core Update 198. The flaw occurs in the Proxy report creation feature, where the application processes an HTTP POST request to /cgi-bin/logs.cgi/calamaris.dat. Parameters including DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT are read and directly interpolated into a shell invocation of the mkreport helper without sanitization for shell metacharacters or improper constructs.

An authenticated attacker with low privileges can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation involves crafting a POST request with injected shell metacharacters into one or more parameters, enabling execution of arbitrary commands as the 'nobody' user. The CVSS 3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability.

IPFire addresses the vulnerability in version 2.29 Core Update 198. Mitigation details are provided in the IPFire Bugzilla entry (https://bugzilla.ipfire.org/show_bug.cgi?id=13886), the Core Update 198 release announcement (https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released), and the VulnCheck advisory (https://www.vulncheck.com/advisories/ipfire-command-injection-via-proxy-report-creation).

EU & UK References

Vulnerability details

IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user 'nobody' via multiple parameters when creating a Proxy report. When a user creates a Proxy…

more

report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the 'nobody' user.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a command injection (CWE-78) in a CGI script that interpolates unsanitized parameters into a shell command (mkreport), directly enabling T1059.004 (Unix Shell). As a remotely exploitable web application flaw, it facilitates T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-34312Same product: Ipfire Ipfire
CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2025-50475Shared CWE-78
CVE-2024-57015Shared CWE-78
CVE-2026-36828Shared CWE-78
CVE-2024-57595Shared CWE-78
CVE-2026-25196Shared CWE-78
CVE-2024-50566Shared CWE-78

Affected Assets

ipfire
ipfire
2.29 · ≤ 2.29

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by requiring validation and sanitization of HTTP POST parameters like DAY_BEGIN before shell interpolation.

prevent

Mitigates the vulnerability through timely flaw remediation by applying IPFire Core Update 198, which fixes the unsanitized parameter handling.

prevent

Limits damage from injected commands by enforcing least privilege, restricting execution to the low-privileged 'nobody' user.

References