module
Template Injection Vulnerability in Sawtooth Software's Lighthouse Studio (CVE-2025-34300)
| Disclosed | Created |
|---|---|
| Jul 16, 2025 | Sep 9, 2025 |
Disclosed
Jul 16, 2025
Created
Sep 9, 2025
Description
This module exploits a template injection vulnerability in the
Sawtooth Software Lighthouse Studio's `ciwweb.pl` web application.
The application fails to properly sanitize user input within survey templates,
allowing unauthenticated attackers to inject and execute arbitrary Perl commands
on the target system.
This vulnerability affects Lighthouse Studio versions prior to 9.16.14.
Successful exploitation may result in remote code execution under the privileges
of the web server, potentially exposing sensitive data or disrupting survey operations.
An attacker can execute arbitrary system commands in the context of the user running the web server.
Sawtooth Software Lighthouse Studio's `ciwweb.pl` web application.
The application fails to properly sanitize user input within survey templates,
allowing unauthenticated attackers to inject and execute arbitrary Perl commands
on the target system.
This vulnerability affects Lighthouse Studio versions prior to 9.16.14.
Successful exploitation may result in remote code execution under the privileges
of the web server, potentially exposing sensitive data or disrupting survey operations.
An attacker can execute arbitrary system commands in the context of the user running the web server.
Authors
Maksim Rogov
Adam Kues
Adam Kues
Platform
Linux,Unix,Windows
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.