CVE-2025-44163

Name of the Vulnerable Software and Affected Versions: RaspAP raspap-webgui version 3.3.1

Description: The issue allows an authenticated attacker to perform a Directory Traversal attack. This is achieved by sending a crafted POST request to the "ajax/networking/get wgkey.php" endpoint with a path traversal payload in the entity parameter. The vulnerability exploits the tee command used in shell execution, enabling the attacker to overwrite arbitrary files that are writable by the web server.

Recommendations: For RaspAP raspap-webgui version 3.3.1, consider restricting access to the "ajax/networking/get wgkey.php" endpoint until a patch is available. As a temporary workaround, avoid using the entity parameter in the affected endpoint to minimize the risk of exploitation.