CVE-2025-50974 is a command injection vulnerability found in the Calamaris log exporter CGI component of IPFire version 2.29. The vulnerability arises because the CGI script located at /cgi-bin/logs.cgi/calamaris.dat fails to properly sanitize user-supplied input before incorporating parameter values into shell commands. Specifically, parameters such as BYTE_UNIT, DAY_BEGIN, DAY_END, HIST_LEVEL, MONTH_BEGIN, MONTH_END, NUM_CONTENT, NUM_DOMAINS, NUM_HOSTS, NUM_URLS, PERF_INTERVAL, YEAR_BEGIN, and YEAR_END are vulnerable to injection of arbitrary operating system commands. An unauthenticated remote attacker can exploit this flaw by embedding shell metacharacters within these parameters, leading to arbitrary command execution on the underlying system. This vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that the root cause is inadequate input validation and sanitization. The CVSS v3.1 base score is 6.5, reflecting a medium severity level. The attack vector is network-based (AV:N), requiring no privileges (PR:N) or user interaction (UI:N), and the impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability could allow attackers to execute arbitrary commands, potentially leading to information disclosure, system compromise, or lateral movement within affected networks if exploited successfully.

For European organizations using IPFire 2.29, this vulnerability poses a significant risk. IPFire is commonly deployed as a firewall and router solution in small to medium enterprises and some larger organizations, often serving as a critical network security component. Exploitation could allow attackers to execute arbitrary commands remotely without authentication, potentially leading to unauthorized access to sensitive network data, manipulation or exfiltration of logs, and further compromise of internal systems. This could disrupt network security monitoring and incident response capabilities. Given the medium severity, the impact on confidentiality and integrity is notable, though availability is not directly affected. However, successful exploitation could be a stepping stone for more severe attacks, including privilege escalation or persistent backdoors. European organizations in sectors such as finance, healthcare, government, and critical infrastructure, which rely on IPFire for perimeter defense, could face increased risk of data breaches and regulatory non-compliance, especially under GDPR mandates. The lack of user interaction and authentication requirements makes this vulnerability easier to exploit remotely, increasing the threat surface for organizations with externally accessible IPFire management interfaces or poorly segmented networks.

Immediate mitigation should focus on restricting access to the vulnerable CGI endpoint. Network administrators should ensure that the /cgi-bin/logs.cgi/calamaris.dat interface is not exposed to untrusted networks, ideally limiting access to trusted internal IP ranges or via VPN. Implement strict firewall rules to block external access to the IPFire management interface. Until an official patch is released, consider disabling the Calamaris log exporter CGI if it is not essential for operations. Additionally, implement web application firewall (WAF) rules to detect and block suspicious input containing shell metacharacters targeting the vulnerable parameters. Regularly monitor logs for unusual command execution patterns or unexpected parameter values. Organizations should also prepare to apply patches promptly once available and conduct thorough security assessments of IPFire deployments to identify any signs of compromise. Employ network segmentation to isolate IPFire devices from critical assets and limit lateral movement in case of exploitation. Finally, educate network administrators about this vulnerability and the importance of input validation in web-facing services.