Cyber Resilience

CVE-2025-54123

CriticalPublic PoCRCE

Published: 10 September 2025

Published
10 September 2025
Modified
17 September 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5093 97.9th percentile
Risk Priority 50 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54123 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Hoverfly Hoverfly. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

Hoverfly, an open source API simulation tool, contains a command injection vulnerability in versions 1.11.3 and earlier. The flaw resides in the middleware management endpoint at /api/v2/hoverfly/middleware and stems from insufficient input validation in middleware.go combined with unsafe command execution in local_middleware.go and immediate execution logic in hoverfly_service.go. This allows unauthenticated remote attackers to supply crafted input that is passed directly to system commands.

An attacker with network access to the vulnerable endpoint can upload malicious payloads or execute arbitrary commands, including reverse shells, under the privileges of the Hoverfly process. The issue carries a CVSS score of 9.8 and maps to CWE-20 and CWE-78, reflecting the absence of authentication or sanitization on a remotely reachable API.

The fix in version 1.12.0, introduced via commit 17e60a9bc78826deb4b782dca1c1abd3dbe60d40, disables the set-middleware API by default and updates documentation to highlight the security implications of exposing it. The EPSS score rose from a low baseline to a peak of 0.6294, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, the middleware functionality in Hoverfly is vulnerable to command injection vulnerability at `/api/v2/hoverfly/middleware` endpoint due to insufficient validation and sanitization in user input. The vulnerability exists in…

more

the middleware management API endpoint `/api/v2/hoverfly/middleware`. This issue is born due to combination of three code level flaws: Insufficient Input Validation in middleware.go line 94-96; Unsafe Command Execution in local_middleware.go line 14-19; and Immediate Execution During Testing in hoverfly_service.go line 173. This allows an attacker to gain remote code execution (RCE) on any system running the vulnerable Hoverfly service. Since the input is directly passed to system commands without proper checks, an attacker can upload a malicious payload or directly execute arbitrary commands (including reverse shells) on the host server with the privileges of the Hoverfly process. Commit 17e60a9bc78826deb4b782dca1c1abd3dbe60d40 in version 1.12.0 disables the set middleware API by default, and subsequent changes to documentation make users aware of the security changes of exposing the set middleware API.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Unauthenticated command injection in exposed middleware API directly enables RCE on public-facing service (T1190) and arbitrary OS command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-8876Shared CWE-20, CWE-78
CVE-2026-21893Shared CWE-20, CWE-78
CVE-2024-58274Shared CWE-78
CVE-2025-50194Shared CWE-78
CVE-2025-7451Shared CWE-78
CVE-2026-33277Shared CWE-78
CVE-2026-25109Shared CWE-78
CVE-2025-56127Shared CWE-78
CVE-2026-27190Shared CWE-78
CVE-2026-22226Shared CWE-78

Affected Assets

hoverfly
hoverfly
≤ 1.12.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring timely flaw remediation through upgrading to Hoverfly version 1.12.0, which disables the vulnerable middleware API by default.

prevent

Mandates validation and sanitization of user-supplied inputs to the /api/v2/hoverfly/middleware endpoint to block command injection payloads.

prevent

Enforces least functionality by restricting or disabling the unnecessary middleware API endpoint, preventing exposure to command injection exploits.

References