Description
An authenticated multi-stage remote code execution vulnerability exists in Riverbed SteelCentral NetProfiler and NetExpress 10.8.7 virtual appliances. A SQL injection vulnerability in the '/api/common/1.0/login' endpoint can be exploited to create a new user account in the appliance database. This user can then trigger a command injection vulnerability in the '/index.php?page=licenses' endpoint to execute arbitrary commands. The attacker may escalate privileges to root by exploiting an insecure sudoers configuration that allows the 'mazu' user to execute arbitrary commands as root via SSH key extraction and command chaining. Successful exploitation allows full remote root access to the virtual appliance.
Published: 2025-07-15
Score: 10 Critical
EPSS: 49.7% Moderate
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An authenticated multi‑stage vulnerability allows an attacker to establish a foothold in Riverbed SteelCentral NetProfiler and NetExpress 10.8.7 virtual appliances. Initially a SQL injection in the '/api/common/1.0/login' endpoint creates a new user account in the appliance database. The newly created user can then trigger a command injection through the '/index.php?page=licenses' endpoint, allowing arbitrary command execution. A weakness in the sudoers configuration further enables the malicious user to elevate privileges to root, yielding full control over the appliance. The impact is therefore a complete loss of confidentiality, integrity, and availability for the affected system, as the attacker can obtain full remote root access.

Affected Systems

Riverbed Technology’s SteelCentral NetProfiler and SteelCentral NetExpress 10.8.7 virtual appliances are vulnerable; the issue is present in the appliance software distributed under these product names.

Risk and Exploitability

The CVSS score of 10 indicates critical severity, and the EPSS score of 50% shows a high likelihood that this flaw will be actively exploited. The vulnerability is not listed in the CISA KEV catalog, but the high exploitation probability and the multi‑stage attack path—requiring remote authenticated access, SQL injection, command injection, and sudoers exploitation—make it highly actionable. The attack vector is inferred to be remote, as the vulnerable endpoints are exposed on the appliance’s network interface.

Generated by OpenCVE AI on April 28, 2026 at 11:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for SteelCentral NetProfiler and NetExpress once available; if no patch exists, contact Riverbed for an advisory.
  • Restrict network access to the '/api/common/1.0/login' and '/index.php' endpoints to trusted IP ranges or internal networks until mitigation is applied.
  • Remove or tighten the sudoers rule that allows the 'mazu' user to execute arbitrary commands as root, ensuring that SSH key extraction and command chaining are no longer possible.

Generated by OpenCVE AI on April 28, 2026 at 11:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21430 An authenticated multi-stage remote code execution vulnerability exists in Riverbed SteelCentral NetProfiler and NetExpress 10.8.7 virtual appliances. A SQL injection vulnerability in the '/api/common/1.0/login' endpoint can be exploited to create a new user account in the appliance database. This user can then trigger a command injection vulnerability in the '/index.php?page=licenses' endpoint to execute arbitrary commands. The attacker may escalate privileges to root by exploiting an insecure sudoers configuration that allows the 'mazu' user to execute arbitrary commands as root via SSH key extraction and command chaining. Successful exploitation allows full remote root access to the virtual appliance.
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00895}

Tue, 15 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 15 Jul 2025 13:15:00 +0000

Type Values Removed Values Added
Description An authenticated multi-stage remote code execution vulnerability exists in Riverbed SteelCentral NetProfiler and NetExpress 10.8.7 virtual appliances. A SQL injection vulnerability in the '/api/common/1.0/login' endpoint can be exploited to create a new user account in the appliance database. This user can then trigger a command injection vulnerability in the '/index.php?page=licenses' endpoint to execute arbitrary commands. The attacker may escalate privileges to root by exploiting an insecure sudoers configuration that allows the 'mazu' user to execute arbitrary commands as root via SSH key extraction and command chaining. Successful exploitation allows full remote root access to the virtual appliance.
Title Riverbed SteelCentral NetProfiler / NetExpress 10.8.7 RCE
Weaknesses CWE-266
CWE-306
CWE-78
CWE-89
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:38.644Z

Reserved: 2025-04-15T19:15:22.560Z

Link: CVE-2025-34112

cve-icon Vulnrichment

Updated: 2025-07-15T13:35:46.689Z

cve-icon NVD

Status : Deferred

Published: 2025-07-15T13:15:31.123

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-34112

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T11:15:26Z

Weaknesses