CVE-2025-34300

CRITICAL EXPLOITED NUCLEI

Template Injection Vulnerability in Sawtooth Software

Title source: metasploit

Description

A template injection vulnerability exists in Sawtooth Software’s Lighthouse Studio versions prior to 9.16.14 via the ciwweb.pl http://ciwweb.pl/ Perl web application. Exploitation allows an unauthenticated attacker can execute arbitrary commands.

Exploits (2)

nomisec SCANNER 1 stars

by jisi-001 · remote

https://github.com/jisi-001/CVE-2025-34300POC

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Maksim Rogov, Adam Kues · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb

View Code ZIP pw:eip

Nuclei Templates (1)

SawtoothSoftware Lighthouse Studio < 9.16.14 - Pre-Auth Remote Code Execution

CRITICALVERIFIEDby assetnote,DhiyaneshDK,iamnoooob

Shodan: html:"Lighthouse Studio"

References (3)

[Various Sources] https://sawtoothsoftware.com/resources/software-downloads/lighthouse-studio/version-history

[Various Sources] https://slcyber.io/assetnote-security-research-center/rce-in-the-most-popular-survey-software-youve-never-heard-of/

[Third Party Advisory] https://www.vulncheck.com/advisories/sawtooth-software-lighthouse-studio-preauthentication-rce

Scores

CVSS v4 10.0

EPSS 0.6767

EPSS Percentile 98.6%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Details

VulnCheck KEV 2025-08-07

CWE

CWE-1336 CWE-20

Status published

Products (1)

Sawtooth Software/Lighthouse Studio < 9.16.14

Published Jul 16, 2025

Tracked Since Feb 18, 2026