Lighthouse Studio RCE Vulnerability Let Attackers Gain Access to Hosting Servers
A critical remote code execution vulnerability has been discovered in Lighthouse Studio, one of the most widely deployed yet relatively unknown survey software platforms developed by Sawtooth Software.
The flaw, designated CVE-2025-34300, affects the Perl CGI scripts that power web-based surveys, potentially exposing thousands of hosting servers to complete compromise by attackers who possess nothing more than a survey link.
Lighthouse Studio operates through a dual architecture consisting of a Windows desktop application for survey creation and a collection of Perl CGI scripts deployed on web servers to handle respondent interactions.
The vulnerability resides specifically in the server-side components, where a templating engine processes user input without proper sanitization.
Security researchers at Assetnote discovered that the software’s templating system evaluates content between [% %] markers as executable Perl code, creating a direct pathway for remote code execution.
Slcyber analysts noted that the vulnerability’s impact extends far beyond individual installations, as these CGI scripts are frequently copied across multiple surveys within organizations.
A single company might operate tens or hundreds of vulnerable script instances across their web infrastructure, with no automatic update mechanism to address security patches.
This proliferation significantly amplifies the potential attack surface and complicates remediation efforts.
Technical Exploitation Mechanics
The vulnerability exploits a fundamental flaw in the software’s input processing workflow.
The vulnerable code snippet demonstrates how user input reaches an eval() function without adequate validation:-
sub _foq {
my ( $_gtp, $_gvf ) = @_;
my $_ejf = "";
$_ejf = eval($_gtp);
# Additional error handling code
}Attackers can exploit this by injecting malicious payloads through the hid_Random_ACARAT parameter, such as [%257*7%25], which gets processed by the templating engine and executed as Perl code.
For older software versions that implement basic input filtering, researchers discovered a bypass technique using duplicate parameter names: hid_Random_ACARAT=[%257*7%25]&hid_Random_ACARAT=x.
This approach leverages Perl’s array reference handling behavior to circumvent the filtering mechanisms entirely.
Sawtooth Software released version 9.16.14 on July 9th, 2025, addressing this critical security flaw.
Organizations running Lighthouse Studio should immediately update to the patched version to prevent potential compromise of their hosting infrastructure.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
Source link
