CVE-2021-33393

HIGH

IPFire 2.25-core155 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2021-33393. PoCs published by Mücahit Saratar, joaoaugustom, Mücahit Saratar <[email protected]>, Grant Willcox, including Metasploit module exploits/linux/http/ipfire_pakfire_exec.

AI-analyzed exploit summary This exploit leverages an authenticated command injection vulnerability in IPFire's pakfire.cgi by injecting a command into the INSPAKS parameter. It sends a crafted POST request with basic authentication to execute arbitrary commands on the target system.

Description

lfs/backup in IPFire 2.25-core155 does not ensure that /var/ipfire/backup/bin/backup.pl is owned by the root account. It might be owned by an unprivileged account, which could potentially be used to install a Trojan horse backup.pl script that is later executed by root. Similar problems with the ownership/permissions of other files may be present as well.

Exploits (3)

exploitdb WORKING POC
by Mücahit Saratar · pythonwebappscgi
https://www.exploit-db.com/exploits/49869

This exploit leverages an authenticated command injection vulnerability in IPFire's pakfire.cgi by injecting a command into the INSPAKS parameter. It sends a crafted POST request with basic authentication to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: IPFire 2.25 - core update 156
Auth required
Prerequisites: Valid credentials for the target IPFire system · Network access to the target's web interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by joaoaugustom · poc
https://github.com/joaoaugustom/IPFire_2.25_RCE_Authenticated

This repository contains a functional exploit for CVE-2021-33393, an authenticated remote code execution vulnerability in IPFire 2.25. The exploit modifies the backup.pl script to establish a reverse shell with root privileges.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: IPFire 2.25 - core update 156
Auth required
Prerequisites: valid credentials for the IPFire web interface · network access to the target · listener set up for reverse shell
devstral-2 · analyzed May 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Mücahit Saratar <[email protected]>, Grant Willcox · rubypocpython
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ipfire_pakfire_exec.rb

This Metasploit module exploits an authenticated command injection vulnerability in IPFire's pakfire.cgi to achieve remote code execution as root. It leverages improper input validation in the INSPAKS parameter to inject and execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: IPFire 2.25 Core Update 156 and prior
Auth required
Prerequisites: Valid credentials for IPFire web interface · Network access to the target device
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/MucahitSaratar/ipfire-2-25-auth-rce
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/163158/IPFire-2.25-Remote-Code-Execution.html

Scores

CVSS v3 8.8
EPSS 0.7218
EPSS Percentile 98.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (2)
ipfire/ipfire 2.25 core_update141 (14 CPE variants)
ipfire/ipfire < 2.25
Published Jun 09, 2021
Tracked Since Feb 18, 2026