Pi-hole is a popular network-level ad and tracker blocking application with a web-based admin interface. In versions prior to 6.0, the savesettings.php script processes a POST parameter named 'webtheme' by directly concatenating its value into a shell command executed via PHP's exec() function. This practice constitutes improper neutralization of special elements (CWE-78), enabling OS Command Injection. Since the input is neither sanitized nor validated, an attacker can append arbitrary shell commands to the intended Pi-hole command. Critically, the command executes with sudo privileges, granting root-level access to the attacker. The vulnerability requires no authentication or user interaction and can be exploited remotely by sending crafted HTTP POST requests to the Pi-hole admin interface. The CVSS 4.0 score of 8.9 reflects the high impact on confidentiality, integrity, and availability, combined with ease of exploitation and no required privileges. Although no known exploits are reported in the wild yet, the severity and simplicity of exploitation make this a significant threat. The issue is resolved in Pi-hole version 6.0 by properly sanitizing and validating user input before command execution.

Successful exploitation allows an attacker to execute arbitrary commands with root privileges on the Pi-hole server. This can lead to full system compromise, including data theft, service disruption, installation of persistent malware, lateral movement within the network, and complete loss of confidentiality, integrity, and availability of the affected system. Since Pi-hole often runs on home or small business networks as a DNS-level filter, compromise can also undermine network security and privacy for all connected devices. The vulnerability's remote, unauthenticated nature increases the risk of widespread exploitation, potentially affecting numerous deployments worldwide before patching occurs.

1. Immediately upgrade all Pi-hole installations to version 6.0 or later, where the vulnerability is patched. 2. If upgrading is not immediately possible, restrict access to the Pi-hole admin interface using network-level controls such as firewall rules or VPNs to limit exposure to trusted users only. 3. Monitor network traffic and system logs for unusual POST requests targeting savesettings.php or suspicious command execution patterns. 4. Employ web application firewalls (WAFs) with custom rules to detect and block command injection attempts targeting the 'webtheme' parameter. 5. Regularly audit and harden server configurations to minimize the impact of potential compromises, including running Pi-hole with the least privileges necessary and isolating it within segmented network zones. 6. Educate administrators about the risks of command injection and the importance of timely patching and secure configuration.