Back to KEVs

CVE-2025-34033

5VTechnologies Blue Angel Software Suite OS Command Injection

Basic Information

CVE State
PUBLISHED
Reserved Date
April 15, 2025
Published Date
June 24, 2025
Last Updated
April 07, 2026
Vendor
5VTechnologies
Product
Blue Angel Software Suite
Description
An OS command injection vulnerability exists in the Blue Angel Software Suite running on embedded Linux devices via the ping_addr parameter in the webctrl.cgi script. The application fails to properly sanitize input before passing it to the system-level ping command. An authenticated attacker can inject arbitrary commands by appending shell metacharacters to the ping_addr parameter in a crafted GET request to /cgi-bin/webctrl.cgi?action=pingtest_update. The command's output is reflected in the application's web interface, enabling attackers to view results directly. Default and backdoor credentials can be used to access the interface and exploit the issue. Successful exploitation results in arbitrary command execution as the root user. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-26 UTC.

CVSS Scores

CVSS v4.0

7.7 - HIGH

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

SSVC Information

Exploitation
poc
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-10-22 16:58:31 UTC) Source

References

https://www.exploit-db.com/exploits/46792 https://vulncheck.com/advisories/5vtechnologies-blue-angel-command-injection

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-10-22 16:58:31 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel