CVE-2025-34311 is an OS command injection vulnerability identified in IPFire, an open-source firewall distribution widely used for network security. The flaw exists in versions prior to 2.29 (Core Update 198) within the Proxy report generation functionality. When a user creates a Proxy report, the application sends an HTTP POST request to /cgi-bin/logs.cgi/calamaris.dat with multiple parameters such as DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT. These parameters are directly interpolated into a shell command invoking the mkreport helper script without any sanitization or neutralization of shell metacharacters. This improper handling allows an authenticated attacker to inject arbitrary shell commands, which execute with the privileges of the 'nobody' user—a low-privilege account but still capable of causing significant harm within the system context. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and has a CVSS v4.0 score of 8.7, indicating high severity. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), no user interaction (UI:N), and only requires privileges of an authenticated user (PR:L). The vulnerability impacts confidentiality, integrity, and availability at a high level due to the potential for arbitrary command execution. No public exploits have been reported yet, but the vulnerability's nature makes it a critical risk for IPFire deployments. The lack of input validation and direct shell command construction is a common and dangerous coding flaw that can lead to system compromise or lateral movement within a network.

For European organizations, the impact of this vulnerability can be substantial. IPFire is frequently deployed in small to medium enterprises, government agencies, and critical infrastructure environments as a firewall and proxy solution. Successful exploitation could allow attackers to execute arbitrary commands on the firewall device, potentially leading to unauthorized access to internal networks, data exfiltration, disruption of network services, or pivoting to other systems. The 'nobody' user privileges limit the scope somewhat but do not eliminate the risk of privilege escalation or lateral movement. Confidentiality could be compromised by accessing sensitive logs or network traffic data, integrity could be undermined by altering firewall rules or logs, and availability could be affected by disrupting firewall operations. Given the strategic importance of network security appliances, exploitation could have cascading effects on organizational security posture. European organizations with regulatory requirements such as GDPR must consider the compliance implications of such a breach. The absence of known exploits in the wild provides a window for proactive mitigation before widespread attacks occur.

To mitigate this vulnerability, organizations should immediately upgrade IPFire installations to version 2.29 (Core Update 198) or later, where the issue is patched. If upgrading is not immediately feasible, restrict access to the Proxy report generation interface to trusted administrators only, ideally via VPN or secure management networks. Implement network-level access controls and monitoring to detect unusual POST requests to /cgi-bin/logs.cgi/calamaris.dat. Apply strict input validation and sanitization on all parameters used in shell commands, ensuring that special characters and shell metacharacters are properly escaped or rejected. Consider running the mkreport helper with even more restricted privileges or within a sandboxed environment to limit potential damage. Regularly audit firewall logs and system behavior for signs of exploitation attempts. Additionally, educate administrators about the risks of command injection vulnerabilities and the importance of applying security updates promptly. Employ intrusion detection systems (IDS) tuned to detect anomalous command injection patterns targeting IPFire components.