CVE-2025-34312
Published: 28 October 2025
Summary
CVE-2025-34312 is a high-severity OS Command Injection (CWE-78) vulnerability in Ipfire Ipfire. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 48.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents command injection by requiring validation and sanitization of the BE_NAME parameter before interpolation into shell commands in urlfilter.cgi.
SI-2 mandates timely flaw remediation, including patching IPFire to version 2.29 Core Update 198 to fix the unsanitized input vulnerability.
RA-5 requires vulnerability scanning that identifies the command injection flaw in IPFire versions prior to 2.29 Core Update 198.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a command injection (CWE-78) in a CGI script, directly enabling arbitrary Unix shell command execution (T1059.004) as the 'nobody' user and exploitation of a remote web service (T1210).
NVD Description
IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the 'nobody' user via the BE_NAME parameter when installing a blacklist. When a blacklist is installed the…
more
application issues an HTTP POST to /cgi-bin/urlfilter.cgi and interpolates the value of BE_NAME directly into a shell invocation without appropriate sanitation. Crafted input can inject shell metacharacters, leading to arbitrary command execution in the context of the 'nobody' user.
Deeper analysisAI
CVE-2025-34312 is a command injection vulnerability (CWE-78) affecting IPFire versions prior to 2.29 Core Update 198. The flaw resides in the urlfilter.cgi component, where the BE_NAME parameter is processed during blacklist installation via an HTTP POST request. This parameter is directly interpolated into a shell command without proper sanitization, enabling attackers to inject shell metacharacters and execute arbitrary commands as the 'nobody' user. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity and no user interaction required. By crafting a malicious BE_NAME value during blacklist installation, the attacker achieves remote code execution as the 'nobody' user, potentially leading to high confidentiality, integrity, and availability impacts, such as data exfiltration, file manipulation, or denial-of-service within the restricted user context.
IPFire addressed the issue in version 2.29 Core Update 198, as detailed in the official release announcement. Security practitioners should update affected systems immediately, per advisories from IPFire's Bugzilla (ID 13887) and VulnCheck, which confirm the patch sanitizes the BE_NAME input to prevent injection. No workarounds are specified beyond applying the update.
Details
- CWE(s)