CVE-2025-34087 is an authenticated OS command injection vulnerability identified in Pi-hole LLC's web interface, specifically affecting versions up to 3.3 that use the legacy AdminLTE interface. The vulnerability arises due to improper neutralization of special elements in the 'domain' parameter when adding entries to the allowlist via the web UI. This parameter is not properly sanitized, allowing an attacker with authenticated access to append arbitrary OS commands to the domain string. These commands are executed with the privileges of the Pi-hole service user, which typically runs with limited but significant system permissions. The vulnerability is classified under CWE-78, indicating improper neutralization of OS command elements. Exploitation requires authentication but no additional user interaction, and the attack vector is network-based (remote). The CVSS v4.0 score of 9 (critical) reflects the high impact on confidentiality, integrity, and availability, as successful exploitation can lead to full system compromise, data exfiltration, or disruption of DNS filtering services. The vulnerability was present in the legacy AdminLTE interface and has been patched in versions released after 3.3. No public exploit code or active exploitation has been reported yet. The vulnerability was reserved in April 2025 and published in July 2025. Due to the nature of Pi-hole as a widely used network-level ad and tracker blocking solution, exploitation could allow attackers to pivot within networks or disrupt critical DNS filtering functions.

For European organizations, the impact of CVE-2025-34087 can be significant. Pi-hole is commonly deployed in enterprise and small-to-medium business environments as a DNS-level ad blocker and network filter. Exploitation could allow attackers to execute arbitrary commands on the host system, potentially leading to full compromise of the Pi-hole server. This could result in unauthorized access to internal network resources, interception or manipulation of DNS queries, and disruption of network services. Confidentiality could be breached if attackers access sensitive network data or credentials stored or accessible on the Pi-hole host. Integrity and availability of DNS filtering services could be compromised, impacting user productivity and security posture. Given the critical CVSS score and the fact that the vulnerability requires only authenticated access, insider threats or compromised credentials could facilitate exploitation. European organizations with regulatory requirements around data protection (e.g., GDPR) may face compliance risks if exploitation leads to data breaches. The absence of known exploits in the wild suggests a window for proactive mitigation, but the critical severity demands urgent attention.

1. Upgrade Pi-hole installations to versions later than 3.3 where the vulnerability has been patched. 2. Restrict access to the Pi-hole web interface using network segmentation, VPNs, or IP whitelisting to limit authenticated access only to trusted administrators. 3. Enforce strong authentication mechanisms and regularly audit user accounts with access to the Pi-hole admin interface to prevent unauthorized access. 4. Monitor Pi-hole logs for unusual activity related to allowlist modifications or command execution attempts. 5. Consider running Pi-hole with the least privileges necessary and in containerized or sandboxed environments to limit the impact of potential exploitation. 6. Implement network-level monitoring and intrusion detection systems to detect anomalous DNS or command execution behaviors. 7. Educate administrators on the risks of using legacy interfaces and the importance of timely patching. 8. If immediate upgrade is not possible, disable the allowlist feature or restrict its usage until patched versions can be deployed.