Description
A remote command execution vulnerability exists in IPFire before version 2.19 Core Update 101 via the 'proxy.cgi' CGI interface. An authenticated attacker can inject arbitrary shell commands through crafted values in the NCSA user creation form fields, leading to command execution with web server privileges.
Published: 2025-07-15
Score: 8.7 High
EPSS: 60.7% High
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A remote command execution vulnerability exists in IPFire versions prior to 2.19 Core Update 101. The flaw is located in the proxy.cgi CGI interface and allows an authenticated user to inject arbitrary shell commands by manipulating fields in the NCSA user creation form. Exploitation grants execution under the web server’s privileges, thus potentially compromising the entire system, its confidentiality, integrity, and availability.

Affected Systems

IPFire firewalls running any version earlier than the 2.19 Core Update 101 release. The vulnerability applies to the default installation using the proxy.cgi script and the NCSA user creation interface.

Risk and Exploitability

The CVSS score of 8.7 classifies the weakness as high severity, and the EPSS probability of 61% indicates a high likelihood of exploitation in the wild. Attackers must first authenticate to IPFire and then submit malicious input via the user creation form; no public remote access is required. The issue is not listed in the CISA KEV catalog, but the combination of high CVSS and EPSS scores mandates prompt remediations.

Generated by OpenCVE AI on April 28, 2026 at 01:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official IPFire 2.19 Core Update 101 release or later to remove the vulnerable proxy.cgi functionality.
  • Revoke or rotate credentials for users who have authorized access to the NCSA user creation form until the update is applied.
  • Restrict access to the proxy.cgi script and the NCSA user creation form to a minimal set of trusted administrators, enforcing strong authentication and access controls.

Generated by OpenCVE AI on April 28, 2026 at 01:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21433 A remote command execution vulnerability exists in IPFire before version 2.19 Core Update 101 via the 'proxy.cgi' CGI interface. An authenticated attacker can inject arbitrary shell commands through crafted values in the NCSA user creation form fields, leading to command execution with web server privileges.
History

Wed, 19 Nov 2025 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ipfire:ipfire:2.19:*:*:*:*:*:*:*

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00654}

Tue, 15 Jul 2025 14:30:00 +0000

Type Values Removed Values Added
References

Tue, 15 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 15 Jul 2025 14:00:00 +0000

Type Values Removed Values Added
References

Tue, 15 Jul 2025 13:15:00 +0000

Type Values Removed Values Added
Description A remote command execution vulnerability exists in IPFire before version 2.19 Core Update 101 via the 'proxy.cgi' CGI interface. An authenticated attacker can inject arbitrary shell commands through crafted values in the NCSA user creation form fields, leading to command execution with web server privileges.
Title IPFire < 2.19 Core Update 101 proxy.cgi RCE
Weaknesses CWE-20
CWE-306
CWE-78
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ipfire Ipfire
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:40.739Z

Reserved: 2025-04-15T19:15:22.560Z

Link: CVE-2025-34116

cve-icon Vulnrichment

Updated: 2025-07-15T13:38:08.992Z

cve-icon NVD

Status : Deferred

Published: 2025-07-15T13:15:32.493

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-34116

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T01:15:15Z

Weaknesses