プラットフォーム
ruby
コンポーネント
oxidized-web
修正版
0.15.0
CVE-2025-27590 is a critical Remote Code Execution (RCE) vulnerability affecting Oxidized Web versions 0.0 through 0.14.0. An unauthenticated attacker can exploit this flaw to gain complete control over the Linux user account under which Oxidized Web is running, potentially compromising the entire system. The vulnerability resides within the RANCID migration page and has been resolved in version 0.15.0.
The impact of CVE-2025-27590 is severe. Successful exploitation allows an attacker to execute arbitrary commands with the privileges of the Oxidized Web user. This could lead to complete system compromise, including data exfiltration, malware installation, and lateral movement within the network. Given Oxidized Web's role in network device configuration management, an attacker could potentially modify device configurations, disrupt network operations, or gain access to sensitive configuration data. The lack of authentication required for exploitation significantly broadens the attack surface.
CVE-2025-27590 was publicly disclosed on 2025-03-03. The vulnerability's ease of exploitation and the potential for significant impact suggest a medium probability of exploitation. No public proof-of-concept code has been released as of this writing, but the vulnerability's simplicity makes it likely that exploits will emerge. It is not currently listed on CISA KEV.
Organizations utilizing Oxidized Web for network device configuration management are at risk, particularly those running versions 0.0 through 0.14.0. Environments with limited network segmentation or inadequate access controls are especially vulnerable, as an attacker could potentially exploit this vulnerability from outside the internal network.
• ruby / server:
grep -r 'rancid_migration' /opt/oxidized/web/• generic web:
curl -I http://<oxidized_server>/rancid_migration | grep Serverdisclosure
エクスプロイト状況
EPSS
1.38% (80% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-27590 is to immediately upgrade Oxidized Web to version 0.15.0 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the RANCID migration page via a firewall or web application proxy. Carefully review and restrict the permissions of the Oxidized Web user account to minimize potential damage in the event of a compromise. Monitor system logs for suspicious activity related to the RANCID migration page.
Oxidized Web を 0.15.0 以降のバージョンにアップデートしてください。このバージョンは、認証されていないユーザーが oxidized-web を実行している Linux ユーザーアカウントの制御を獲得できる脆弱性を修正しています。アップデートは、公式リポジトリから新しいバージョンをダウンロードし、インストール手順に従うことで実行できます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-27590 is a critical vulnerability in Oxidized Web versions 0.0 - 0.14.0 that allows unauthenticated users to execute arbitrary code on the system, potentially leading to complete compromise.
Yes, if you are running Oxidized Web versions 0.0 through 0.14.0, you are affected by this vulnerability. Upgrade to 0.15.0 or later immediately.
The recommended fix is to upgrade Oxidized Web to version 0.15.0 or later. If upgrading is not possible, restrict access to the RANCID migration page.
While no active exploitation has been confirmed, the vulnerability's simplicity suggests a high likelihood of exploitation in the near future.
Refer to the Oxidized Web project's official website and GitHub repository for the latest security advisories and updates: https://oxidized.io/
Gemfile.lock ファイルをアップロードすると、影響の有無を即座にお知らせします。