CVE-2025-61304 – This CVE describes an OS command injection vuln... (How to Fix)

Q: What is the severity of CVE-2025-61304?

CVE-2025-61304 has a CVSS score of 9.8 (CRITICAL). This CVE describes an OS command injection vulnerability in Dynatrace ActiveGate's ping extension. Attackers can execute arbitrary commands on affected systems by injecting malicious payloads into the IP address parameter. Organizations running vulnerable versions of Dynatrace ActiveGate with the ping extension enabled are affected.

📋 TL;DR

This CVE describes an OS command injection vulnerability in Dynatrace ActiveGate's ping extension. Attackers can execute arbitrary commands on affected systems by injecting malicious payloads into the IP address parameter. Organizations running vulnerable versions of Dynatrace ActiveGate with the ping extension enabled are affected.

💻 Affected Systems

Products:

Dynatrace ActiveGate

Versions: Up to version 1.016

Operating Systems: All platforms running Dynatrace ActiveGate

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the ping extension to be enabled. The vulnerability is in the extension's handling of IP address input.

📦 What is this software?

Activegate Ping Extension by Dynatrace

View all CVEs affecting Activegate Ping Extension →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands with system privileges, potentially leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Unauthenticated remote code execution allowing attackers to install backdoors, exfiltrate data, or pivot to other systems in the network.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege principles, and input validation are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code is available on GitHub. The vulnerability requires no authentication and has low exploitation complexity.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.017 or later

Vendor Advisory: https://www.dynatrace.com/support/help/shortlink/security-advisory-cve-2025-61304

Restart Required: Yes

Instructions:

1. Update Dynatrace ActiveGate to version 1.017 or later. 2. Restart the ActiveGate service. 3. Verify the update was successful.

🔧 Temporary Workarounds

Disable Ping Extension

all

Temporarily disable the vulnerable ping extension until patching can be completed.

dynatrace-activegate extension disable ping

Network Restriction

all

Restrict network access to ActiveGate management interfaces to trusted IP addresses only.

🧯 If You Can't Patch

Implement strict network segmentation to isolate ActiveGate instances from critical systems
Deploy web application firewall (WAF) rules to block command injection patterns

🔍 How to Verify

Check if Vulnerable:

Check ActiveGate version: if version is 1.016 or earlier and ping extension is enabled, the system is vulnerable.

Check Version:

dynatrace-activegate --version

Verify Fix Applied:

Verify ActiveGate version is 1.017 or later and test ping functionality with safe inputs.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Suspicious process creation from ActiveGate service
Failed authentication attempts followed by command execution

Network Indicators:

Unusual outbound connections from ActiveGate hosts
Command and control traffic patterns

SIEM Query:

source="dynatrace" AND (process_execution OR command_injection OR suspicious_ip_pattern)

📊 Metadata

CVE ID: CVE-2025-61304

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 1.01% exploit probability (76.7th percentile)

Published: November 5, 2025

Last Updated: January 8, 2026

🔗 References

https://github.com/pentastic-be/CVE-2025-61304 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-61304, you might also want to check these: