CVE-2025-34098

HIGH

Riverbed SteelHead VCX <9.6.0a - Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-34098. PoCs published by Gregory Draperi, Gregory DRAPERI <gregory.draper_at_gmail.com>, h00die, including Metasploit module auxiliary/scanner/http/riverbed_steelhead_vcx_file_read.

AI-analyzed exploit summary This exploit leverages an authenticated arbitrary file read vulnerability in Riverbed SteelHead VCX by manipulating the log filter parameter to read sensitive files like /etc/passwd. It requires valid credentials and interacts with the target via HTTP requests.

Description

A path traversal vulnerability exists in Riverbed SteelHead VCX appliances (confirmed in VCX255U 9.6.0a) due to improper input validation in the log filtering functionality exposed via the management web interface. An authenticated attacker can exploit this flaw by submitting crafted filter expressions to the log_filter endpoint using the filterStr parameter. This input is processed by a backend parser that permits execution of file expansion syntax, allowing the attacker to retrieve arbitrary system files via the log viewing interface.

Exploits (2)

exploitdb WORKING POC

by Gregory Draperi · pythonwebappslinux

https://www.exploit-db.com/exploits/42101

View Code ZIP pw:eip

This exploit leverages an authenticated arbitrary file read vulnerability in Riverbed SteelHead VCX by manipulating the log filter parameter to read sensitive files like /etc/passwd. It requires valid credentials and interacts with the target via HTTP requests.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Riverbed SteelHead VCX (VCX255U) (x86_64) 9.6.0a

Auth required

Prerequisites: Valid credentials for the target system · Network access to the target

MITRE ATT&CK

T1083 - File and Directory Discovery T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

by Gregory DRAPERI <gregory.draper_at_gmail.com>, h00die · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/riverbed_steelhead_vcx_file_read.rb

View Code ZIP pw:eip

This Metasploit module exploits an authenticated arbitrary file read vulnerability in Riverbed SteelHead VCX by leveraging the log module's filter engine to retrieve file contents. It authenticates via CSRF-protected login and then reads the specified file by manipulating the filterStr parameter.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Riverbed SteelHead VCX (VCX255U) version 9.6.0a

Auth required

Prerequisites: Valid credentials for the target system · Network access to the target · CSRF token extraction

MITRE ATT&CK

T1083 - File and Directory Discovery T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Various Sources exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/http/riverbed_steelhead_vcx_file_read.rb

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/42101

Third Party Advisory third-party-advisory

https://vulncheck.com/advisories/riverbed-steel-head-vcx-authenticated-arbitrary-file-read

Scores

CVSS v4 7.1

EPSS 0.0072

EPSS Percentile 48.8%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (3)

Riverbed Technology/SteelHead VCX 9.6.0a

Riverbed Technology/SteelHead VCX 9.6.1 - 9.7.*

Riverbed Technology/SteelHead VCX 9.6.1 - 9.7.x

Published Jul 10, 2025

Tracked Since Feb 18, 2026