Template Injection Vulnerability in Sawtooth Software's Lighthouse Studio
CVE-2025-34300

10CRITICAL

Key Information:

Vendor

Sawtooth Software

Status
Lighthouse Studio
Vendor
CVE Published:
16 July 2025

Badges

📈 Score: 751👾 Exploit Exists🟣 EPSS 72%📰 News Worthy

What is CVE-2025-34300?

CVE-2025-34300 is a vulnerability identified in Sawtooth Software's Lighthouse Studio, a widely used application for survey and data collection purposes. This particular vulnerability involves template injection, allowing an unauthenticated attacker to execute arbitrary commands through the ciwweb.pl Perl web application utilized within Lighthouse Studio. The vulnerability exists in versions prior to 9.16.14, making it crucial for organizations using this software to be aware of the potential risks. If exploited, attackers could gain unauthorized access to the system, potentially compromising sensitive data and leading to severe operational disruptions.

Potential Impact of CVE-2025-34300

  1. Unauthorized Access and Command Execution: This vulnerability could allow malicious actors to run arbitrary commands on the server, leading to complete control over the affected system.

  2. Data Breaches: Given the nature of the software, an attacker could exploit the vulnerability to access sensitive data collected through surveys, resulting in data leaks or loss of confidentiality.

  3. Operational Disruption: Exploitation could lead to significant downtime and resource allocation for remediation, impacting organizational efficiency and potentially leading to financial losses.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Lighthouse Studio * < 9.16.14

News Articles

favicon imageCyberSecurityNews

Lighthouse Studio RCE Vulnerability Let Attackers Gain Access to Hosting Servers

CVE-2025-34300 in Lighthouse Studio allows RCE via survey links, risking thousands of servers due to unsanitized Perl CGI templates.

favicon imageCVEFeed.io

CVE-2025-34300 - Sawtooth Software Lighthouse Studio Template Injection

A template injection vulnerability exists in Sawtooth Software’s Lighthouse Studio versions prior to 9.16.14 via the ciwweb.pl http://ciwweb.pl/ Perl web application. Exploitation allows an unauthenticated attacker can execute arbitrary commands.

References

https://sawtoothsoftware.com/resources/software-downloads...
productpatch
https://slcyber.io/assetnote-security-research-center/rce...
technical-description
https://www.vulncheck.com/advisories/sawtooth-software-li...
third-party-advisory

EPSS Score

72% chance of being exploited in the next 30 days.

CVSS V4

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by CVEFeed.io

  • Vulnerability published

  • Vulnerability Reserved

Credit

Adam Kues - Assetnote
JSON
.