Attackers Can Exploit Lighthouse Studio RCE Bug to Gain Server Access

Researchers at Assetnote have uncovered a critical remote code execution (RCE) vulnerability in Lighthouse Studio, a widely used survey software developed by Sawtooth Software.

This flaw, affecting the Perl CGI scripts that power the web-based survey component, enables unauthenticated attackers to execute arbitrary code on hosting servers simply by accessing a survey link.

Vulnerability in Popular Survey Software Exposed

Given the software’s prevalence in corporate environments where surveys often solicit user input via popups or emails the potential impact is substantial, as organizations may host multiple outdated instances without auto-update mechanisms, amplifying the attack surface to tens or hundreds of script copies per server.

Lighthouse Studio consists of a Windows-based desktop application for survey creation and Perl CGI scripts deployed on web servers, typically Linux Apache setups with mod_cgi.

The vulnerability stems from an insecure templating engine within the scripts, particularly in the ciwweb.pl entry point, which processes user inputs like the hid_Random_ACARAT parameter.

Attackers can inject Perl code via specially crafted URL parameters, leveraging an eval sink that interprets content enclosed in [% … %] as executable code.

For instance, appending ?hid_Random_ACARAT=[%ls%] to a survey URL triggers command execution, such as listing directory contents, due to insufficient sanitization during HTML rendering.

This occurs because user substitutions precede the templating evaluation, allowing injected payloads to reach the eval function unchecked.

Remote Code Execution Exploit

To uncover this issue, Assetnote’s team reverse-engineered the minified Perl scripts from the freely available Lighthouse Studio installer.

Using tools like Perl::Tidy for formatting and Google Gemini for deobfuscation, they mapped obfuscated elements such as _fuv representing form inputs and identified the _fop subroutine’s templating logic, which passes unsanitized strings to _foq for evaluation.

While initial exploits succeeded on newer versions, older branches (e.g., 9.15.x) inserted spaces to disrupt injections, like transforming [% to [ %.

Researchers bypassed this by exploiting Perl’s handling of array references: supplying the parameter twice (e.g., hid_Random_ACARAT=[%257*7%25]&hid_Random_ACARAT=x) skips substitution regexes, as the array ref ignores s/// operations, ensuring reliable RCE across versions.

The bug’s persistence is exacerbated by the software’s deployment model, where scripts are manually copied between surveys without updates, leaving legacy installations vulnerable.

Assetnote reported the flaw on April 9, 2025, leading to a patch in version 9.16.14, assigned CVE-2025-34300.

Affected users are urged to update immediately, as exploitation requires no authentication and can lead to full server compromise, including data exfiltration or further network pivoting.

This discovery underscores the risks in legacy CGI applications, where minified code and eval-based templating create hidden sinks.

Assetnote integrates such research into its Attack Surface Management platform, enabling proactive detection of exploitable exposures.

Organizations relying on Lighthouse Studio should audit their web servers for outdated CGI-bin directories and apply the fix to mitigate this high-severity threat.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now