CVE-2025-34300
Sawtooth Software Lighthouse Studio < 9.16.14 Pre-Authentication RCE
In short
Sawtooth Software Lighthouse Studio has a flaw that lets anyone on the internet run any command they want on the server, without needing a password. This is extremely dangerous because attackers can take over the entire system.
Technical detail
A template injection vulnerability in the ciwweb.pl Perl application allows unauthenticated remote code execution. The attack vector is HTTP requests to the web interface; no authentication or special conditions are required. Successful exploitation results in arbitrary command execution with server privileges.
Summary generated and translated by AI from the official description.
A template injection vulnerability exists in Sawtooth Software’s Lighthouse Studio versions prior to 9.16.14 via the ciwweb.pl http://ciwweb.pl/ Perl web application. Exploitation allows an unauthenticated attacker can execute arbitrary commands.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Affected products
Sawtooth Software · Lighthouse Studiopublic PoCs found — 1
githubgithub.com/jisi-001/CVE-2025-34300POC★ 1⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://sawtoothsoftware.com/resources/software-downloads/lighthouse-studio/version-historyhttps://slcyber.io/assetnote-security-research-center/rce-in-the-most-popular-survey-software-youve-never-heard-of/https://www.vulncheck.com/advisories/sawtooth-software-lighthouse-studio-preauthentication-rce