CVE-2025-34087 is a critical OS command injection vulnerability affecting Pi-hole versions up to 3.3, specifically in the legacy AdminLTE web interface. The vulnerability arises when an authenticated user adds a domain to the allowlist via the web interface. The 'domain' parameter is not properly sanitized, allowing an attacker to append arbitrary OS commands to the domain string. These commands are executed with the privileges of the Pi-hole service user on the underlying operating system. This flaw is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that special characters or command sequences are not correctly handled before execution. The vulnerability requires authentication but no additional user interaction, and the attack vector is network-based (remote). The CVSS 4.0 score is 9.0, reflecting a critical severity due to high impact on confidentiality, integrity, and availability, as well as ease of exploitation. Although no known exploits are currently reported in the wild, the vulnerability has been patched in later versions beyond 3.3. The Pi-hole service typically runs with limited privileges, but successful exploitation could allow attackers to execute arbitrary commands, potentially leading to full system compromise depending on the environment and privilege escalation opportunities. The vulnerability affects all versions up to 3.3 and is specific to the legacy AdminLTE interface, which may still be in use in some deployments.

For European organizations using Pi-hole as a network-level ad blocker and DNS sinkhole, this vulnerability poses a significant risk. Exploitation could allow attackers to execute arbitrary commands on the Pi-hole server, potentially leading to data exfiltration, network reconnaissance, or pivoting to other internal systems. Given Pi-hole's role in DNS filtering, compromise could disrupt network traffic, degrade service availability, or allow malicious DNS responses, impacting confidentiality and integrity of network communications. Organizations relying on Pi-hole for security or privacy controls could see these protections bypassed or manipulated. The requirement for authentication limits exposure to insiders or attackers who have obtained valid credentials, but weak or reused passwords could facilitate exploitation. The impact is heightened in environments where Pi-hole is deployed on critical infrastructure or integrated with other network services. Disruption or compromise could affect operational continuity and data security, especially in sectors with stringent data protection regulations like GDPR in Europe.

1. Upgrade Pi-hole installations to versions later than 3.3 where the vulnerability is patched, ensuring the legacy AdminLTE interface is no longer in use. 2. Enforce strong authentication mechanisms for the Pi-hole web interface, including complex passwords and, where possible, multi-factor authentication to reduce risk of credential compromise. 3. Restrict network access to the Pi-hole web interface to trusted management networks or VPNs to limit exposure. 4. Regularly audit and monitor Pi-hole logs for suspicious activity, such as unusual domain additions or command execution attempts. 5. Implement host-based intrusion detection systems (HIDS) on Pi-hole servers to detect anomalous command executions or privilege escalations. 6. Consider running Pi-hole under the least privileged user context possible and apply OS-level hardening to reduce impact of potential command injection. 7. Educate administrators on the risks of using legacy interfaces and the importance of timely patching. 8. If upgrading is not immediately feasible, apply web application firewalls (WAF) or input validation proxies to sanitize inputs to the allowlist domain parameter as a temporary mitigation.