CVE-2025-34087 is an authenticated OS command injection vulnerability affecting Pi-hole versions up to 3.3, specifically within the legacy AdminLTE web interface. The vulnerability arises due to improper neutralization of special elements in the 'domain' parameter when adding a domain to the allowlist via the web interface. Because the input is not properly sanitized, an attacker with authenticated access can append arbitrary OS commands to the domain string. These commands are executed on the underlying operating system with the privileges of the Pi-hole service user, which typically has elevated permissions sufficient to impact system integrity and availability. The vulnerability is classified under CWE-78, indicating improper neutralization of special elements used in OS commands. Exploitation does not require user interaction but does require authentication with low privileges, making it a significant threat in environments where attacker credentials or access are obtainable. The vulnerability was present in the legacy AdminLTE interface and has been patched in later Pi-hole versions. The CVSS v4.0 score of 9.0 reflects the vulnerability's critical nature, with network attack vector, low attack complexity, partial privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild yet, but the potential for remote code execution and system compromise is substantial.

For European organizations, the impact of CVE-2025-34087 can be severe. Pi-hole is widely used as a network-level DNS filtering solution to block ads, trackers, and malicious domains, often deployed in enterprise, government, and critical infrastructure environments. Exploitation of this vulnerability could allow attackers to execute arbitrary commands on DNS filtering servers, potentially leading to full system compromise, data exfiltration, disruption of DNS services, and lateral movement within internal networks. This could degrade network security posture, disrupt business operations, and expose sensitive information. Given the critical role of DNS in network operations, successful exploitation could also facilitate further attacks such as man-in-the-middle, phishing, or malware distribution. The requirement for authentication reduces the attack surface but does not eliminate risk, especially in cases of credential compromise or insider threats. The vulnerability's presence in legacy interfaces means organizations that have not updated or hardened their Pi-hole deployments remain at high risk.

European organizations should immediately upgrade Pi-hole installations to the latest patched versions that address this vulnerability, removing legacy AdminLTE interfaces if possible. Implement strict access controls and multi-factor authentication for the Pi-hole web interface to reduce the risk of unauthorized access. Regularly audit user accounts and permissions to ensure only trusted users have access to the allowlist functionality. Employ network segmentation to isolate DNS filtering servers from general user networks and limit exposure. Monitor logs for unusual activity related to domain allowlist modifications or command execution attempts. Consider deploying web application firewalls (WAFs) or intrusion detection systems (IDS) with rules tuned to detect command injection patterns targeting Pi-hole interfaces. Conduct regular vulnerability assessments and penetration testing focused on DNS infrastructure. Finally, maintain an incident response plan that includes procedures for containment and remediation of DNS server compromises.