CVE-2025-34116

HIGH

IPFire < 2.19 Core Update 101 - Authenticated Remote Command Execution via proxy.cgi NCSA User Creation Form

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-34116. PoCs published by Yann CAM, h00die <[email protected]>, Yann CAM, including Metasploit module exploits/linux/http/ipfire_proxy_exec.

AI-analyzed exploit summary The exploit demonstrates a multi-stage attack on IPFire < 2.19 Core Update 101, combining XSS, CSRF bypass, and command injection in proxy.cgi to achieve remote command execution. It includes detailed PoC code for each stage, culminating in a reverse shell via AWK.

Description

A remote command execution vulnerability exists in IPFire before version 2.19 Core Update 101 via the 'proxy.cgi' CGI interface. An authenticated attacker can inject arbitrary shell commands through crafted values in the NCSA user creation form fields, leading to command execution with web server privileges.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Yann CAM · textwebappscgi

https://www.exploit-db.com/exploits/39765

View Code ZIP pw:eip

The exploit demonstrates a multi-stage attack on IPFire < 2.19 Core Update 101, combining XSS, CSRF bypass, and command injection in proxy.cgi to achieve remote command execution. It includes detailed PoC code for each stage, culminating in a reverse shell via AWK.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: IPFire < 2.19 Core Update 101

No auth needed

Prerequisites: Access to the IPFire web interface · Victim interaction for XSS trigger

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1189 - Drive-by Compromise T1059.004 - Unix Shell

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by h00die <[email protected]>, Yann CAM · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ipfire_proxy_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits a remote command execution vulnerability in IPFire's proxy.cgi page by injecting a payload into the user creation form. The exploit leverages command injection via the password field to achieve RCE on vulnerable versions.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: IPFire < 2.19 Update Core 101

Auth required

Prerequisites: Valid credentials for IPFire web interface · Access to the proxy.cgi page

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Various Sources vendor-advisory patch

https://www.ipfire.org/news/ipfire-2-19-core-update-101-released

Various Sources exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/ipfire_proxy_exec.rb

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/39765

Various Sources third-party-advisory technical-description

https://www.asafety.fr/en/vuln-exploit-poc/xss-rce-ipfire-2-19-core-update-101-remote-command-execution/

Issue Tracking issue-tracking

https://bugzilla.ipfire.org/show_bug.cgi?id=11087

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/ipfire-authenticated-rce

Scores

CVSS v4 8.7

EPSS 0.0114

EPSS Percentile 62.3%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20 CWE-306 CWE-78

Status published

Products (1)

IPFire Project/IPFire < 2.19 Core Update 101

Published Jul 15, 2025

Tracked Since Feb 18, 2026