A vital distant code execution vulnerability has been found in Lighthouse Studio, probably the most broadly deployed but comparatively unknown survey software program platforms developed by Sawtooth Software program.
The flaw, designated CVE-2025-34300, impacts the Perl CGI scripts that energy web-based surveys, probably exposing 1000’s of internet hosting servers to finish compromise by attackers who possess nothing greater than a survey hyperlink.
Lighthouse Studio operates by way of a twin structure consisting of a Home windows desktop utility for survey creation and a set of Perl CGI scripts deployed on internet servers to deal with respondent interactions.
The vulnerability resides particularly within the server-side elements, the place a templating engine processes person enter with out correct sanitization.
Safety researchers at Assetnote found that the software program’s templating system evaluates content material between [% %] markers as executable Perl code, making a direct pathway for distant code execution.
Slcyber analysts famous that the vulnerability’s affect extends far past particular person installations, as these CGI scripts are incessantly copied throughout a number of surveys inside organizations.
A single firm would possibly function tens or a whole bunch of weak script cases throughout their internet infrastructure, with no automated replace mechanism to deal with safety patches.
This proliferation considerably amplifies the potential assault floor and complicates remediation efforts.
Technical Exploitation Mechanics
The vulnerability exploits a basic flaw within the software program’s enter processing workflow.
The weak code snippet demonstrates how person enter reaches an eval() perform with out enough validation:-
sub _foq {
my ( $_gtp, $_gvf ) = @_;
my $_ejf = “”;
$_ejf = eval($_gtp);
# Further error dealing with code
}
Attackers can exploit this by injecting malicious payloads by way of the hid_Random_ACARAT parameter, equivalent to [%257*7%25], which will get processed by the templating engine and executed as Perl code.
For older software program variations that implement fundamental enter filtering, researchers found a bypass method utilizing duplicate parameter names: hid_Random_ACARAT=[%257*7%25]&hid_Random_ACARAT=x.
This strategy leverages Perl’s array reference dealing with conduct to bypass the filtering mechanisms totally.
Sawtooth Software program launched model 9.16.14 on July ninth, 2025, addressing this vital safety flaw.
Organizations working Lighthouse Studio ought to instantly replace to the patched model to forestall potential compromise of their internet hosting infrastructure.
Increase detection, scale back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Strive ANY.RUN Now
