PT-2025-29557 · Ipfire · Ipfire
Yann Cam
·
Published
2025-07-15
·
Updated
2025-07-15
·
CVE-2025-34116
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
IPFire versions prior to 2.19 Core Update 101
Description
A remote command execution issue exists in IPFire due to a flaw in the
proxy.cgi CGI interface. An authenticated attacker can inject arbitrary shell commands through crafted values in the NCSA user creation form fields, resulting in command execution with web server privileges.Recommendations
Update to version 2.19 Core Update 101 or later.
Exploit
Fix
Missing Authentication
OS Command Injection
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Ipfire