CVE-2025-27590
📋 TL;DR
This vulnerability in oxidized-web allows unauthenticated attackers to execute arbitrary commands as the Linux user running the oxidized-web service. It affects all oxidized-web instances with the RANCID migration feature enabled that are running versions before 0.15.0.
💻 Affected Systems
- oxidized-web
📦 What is this software?
Oxidized Web by Oxidized Web Project
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the oxidized-web host, allowing attackers to gain root privileges, steal credentials, pivot to other systems, and disrupt network device management.
Likely Case
Attackers gain control of the oxidized-web service account, allowing them to modify network device configurations, exfiltrate sensitive data, and potentially escalate privileges.
If Mitigated
Limited impact if oxidized-web runs in a containerized environment with minimal privileges and network access.
🎯 Exploit Status
The vulnerability allows unauthenticated command injection, making exploitation straightforward for attackers with network access to the service.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.15.0
Vendor Advisory: https://github.com/ytti/oxidized-web/releases/tag/0.15.0
Restart Required: Yes
Instructions:
1. Backup current oxidized-web configuration. 2. Update oxidized-web to version 0.15.0 or later using your package manager or from GitHub releases. 3. Restart the oxidized-web service. 4. Verify the service is running the patched version.
🔧 Temporary Workarounds
Disable RANCID migration endpoint
linuxRemove or restrict access to the vulnerable RANCID migration feature
Modify oxidized-web configuration to disable RANCID migration or restrict access via web server configuration
Network isolation
linuxRestrict network access to oxidized-web service
iptables -A INPUT -p tcp --dport <oxidized-port> -s <trusted-networks> -j ACCEPT
iptables -A INPUT -p tcp --dport <oxidized-port> -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit which systems can reach oxidized-web
- Run oxidized-web in a container with minimal privileges and no network access to other systems
🔍 How to Verify
Check if Vulnerable:
Check if oxidized-web version is below 0.15.0 and the RANCID migration endpoint is accessible without authenticationCheck Version:
oxidized-web --version or check package manager (apt list oxidized-web, yum list oxidized-web, etc.)Verify Fix Applied:
Verify oxidized-web version is 0.15.0 or higher and test that RANCID migration endpoint requires authentication📡 Detection & Monitoring
Log Indicators:
- Unusual process execution from oxidized-web user
- Failed authentication attempts to RANCID migration endpoint
- Unexpected command execution in oxidized-web logs
Network Indicators:
- Unusual outbound connections from oxidized-web host
- Traffic to RANCID migration endpoint from unexpected sources
SIEM Query:
source="oxidized-web" AND (event="command_execution" OR event="rancid_migration" AND user="unauthenticated")