CVE-2025-34112

CRITICAL

Riverbed SteelCentral NetProfiler & NetExpress <10.8.7 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-34112. PoCs published by Metasploit, including Metasploit module exploits/linux/http/riverbed_netprofiler_netexpress_exec.

AI-analyzed exploit summary This Metasploit module exploits a SQL injection in the login form to add a malicious user, then leverages a command injection vulnerability to achieve remote code execution, and finally abuses an insecure sudoers configuration to escalate privileges to root on Riverbed SteelCentral NetProfiler/NetExpress.

Description

An authenticated multi-stage remote code execution vulnerability exists in Riverbed SteelCentral NetProfiler and NetExpress 10.8.7 virtual appliances. A SQL injection vulnerability in the '/api/common/1.0/login' endpoint can be exploited to create a new user account in the appliance database. This user can then trigger a command injection vulnerability in the '/index.php?page=licenses' endpoint to execute arbitrary commands. The attacker may escalate privileges to root by exploiting an insecure sudoers configuration that allows the 'mazu' user to execute arbitrary commands as root via SSH key extraction and command chaining. Successful exploitation allows full remote root access to the virtual appliance.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/40108

This Metasploit module exploits a SQL injection in the login form to add a malicious user, then leverages a command injection vulnerability to achieve remote code execution, and finally abuses an insecure sudoers configuration to escalate privileges to root on Riverbed SteelCentral NetProfiler/NetExpress.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Riverbed SteelCentral NetProfiler 10.8.7 / Riverbed NetExpress 10.8.7
No auth needed
Prerequisites: Network access to the target appliance · SQL injection vulnerability in the login form · Command injection vulnerability in the web interface · Insecure sudoers configuration
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/riverbed_netprofiler_netexpress_exec.rb

This Metasploit module exploits a SQL injection in the login form to add a malicious user, then leverages a command injection vulnerability in the web interface to achieve remote code execution, and finally abuses an insecure sudoers configuration to escalate privileges to root on Riverbed SteelCentral NetProfiler/NetExpress.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Riverbed SteelCentral NetProfiler 10.8.7 / Riverbed NetExpress 10.8.7
No auth needed
Prerequisites: Network access to the target appliance · SQL injection vulnerability in the login form · Command injection vulnerability in the web interface · Insecure sudoers configuration
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v4 10.0
EPSS 0.0200
EPSS Percentile 78.1%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-266 CWE-306 CWE-78 CWE-89
Status published
Products (2)
Riverbed Technology/SteelCentral NetExpress 10.8.7
Riverbed Technology/SteelCentral NetProfiler 10.8.7
Published Jul 15, 2025
Tracked Since Feb 18, 2026