CVE-2025-34304

6.5 MEDIUM

SQL Injection

📋 TL;DR

This SQL injection vulnerability in IPFire allows authenticated attackers to manipulate SQL queries when viewing OpenVPN connection logs. Attackers can exploit this to extract sensitive information from the database. Only IPFire installations with authenticated user access are affected.

💻 Affected Systems

Products:

IPFire

Versions: All versions prior to 2.29 (Core Update 198)

Operating Systems: IPFire Linux distribution

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the web interface

📦 What is this software?

Ipfire by Ipfire

View all CVEs affecting Ipfire →

Ipfire by Ipfire

View all CVEs affecting Ipfire →

Ipfire by Ipfire

View all CVEs affecting Ipfire →

Ipfire by Ipfire

View all CVEs affecting Ipfire →

Ipfire by Ipfire

View all CVEs affecting Ipfire →

Ipfire by Ipfire

View all CVEs affecting Ipfire →

Ipfire by Ipfire

View all CVEs affecting Ipfire →

Ipfire by Ipfire

View all CVEs affecting Ipfire →

Ipfire by Ipfire

View all CVEs affecting Ipfire →

Ipfire by Ipfire

View all CVEs affecting Ipfire →

Ipfire by Ipfire

View all CVEs affecting Ipfire →

Ipfire by Ipfire

View all CVEs affecting Ipfire →

Ipfire by Ipfire

View all CVEs affecting Ipfire →

Ipfire by Ipfire

View all CVEs affecting Ipfire →

Ipfire by Ipfire

View all CVEs affecting Ipfire →

Ipfire by Ipfire

View all CVEs affecting Ipfire →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including credentials, configuration data, and network information disclosure

🟠

Likely Case

Extraction of OpenVPN connection logs, user data, and potentially other database contents

🟢

If Mitigated

Limited impact due to authentication requirement and database permissions

🌐 Internet-Facing: MEDIUM - Requires authentication but could be exploited if admin interfaces are exposed

🏢 Internal Only: MEDIUM - Authenticated internal users could exploit this vulnerability

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authentication and knowledge of SQL injection techniques

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: IPFire 2.29 (Core Update 198)

Vendor Advisory: https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released

Restart Required: No

Instructions:

1. Log into IPFire web interface
2. Navigate to System > Updates
3. Apply Core Update 198
4. Verify version shows 2.29

🔧 Temporary Workarounds

Restrict web interface access

all

Limit access to IPFire web interface to trusted networks only

Configure firewall rules to restrict access to port 444 (HTTPS) and port 445 (HTTP)

🧯 If You Can't Patch

Disable OpenVPN logging functionality if not required
Implement network segmentation to isolate IPFire management interface

🔍 How to Verify

Check if Vulnerable:

Check IPFire version via web interface dashboard or SSH command: cat /etc/ipfire-release

Check Version:

cat /etc/ipfire-release

Verify Fix Applied:

Verify version is 2.29 or higher and Core Update 198 is applied

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed authentication attempts followed by successful login

Network Indicators:

Unusual POST requests to /cgi-bin/logs.cgi/ovpnclients.dat with SQL-like payloads

SIEM Query:

source="ipfire_web_logs" AND uri="/cgi-bin/logs.cgi/ovpnclients.dat" AND (CONNECTION_NAME CONTAINS "'" OR CONNECTION_NAME CONTAINS "--" OR CONNECTION_NAME CONTAINS ";")

📊 Metadata

CVE ID: CVE-2025-34304

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

EPSS Score: 0.03% exploit probability (9.5th percentile)

Published: October 28, 2025

Last Updated: November 3, 2025

🔗 References

https://bugzilla.ipfire.org/show_bug.cgi?id=13879 Issue Tracking,Third Party Advisory
https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released Release Notes
https://www.vulncheck.com/advisories/ipfire-sqli-via-openvpn-connection-logs Third Party Advisory