Researcher Found 6 Critical Vulnerabilities in NetMRI Allow Attackers gain Complete Admin Access

In a Rhino Security Labs, six critical vulnerabilities have been identified in Infoblox’s NetMRI network automation and configuration management solution, specifically version 7.5.4.104695 of the virtual appliance.

These security flaws, ranging from unauthenticated command injection to hardcoded credentials and arbitrary file read as root, pose severe risks to organizations relying on NetMRI for network management.

If exploited, these vulnerabilities could enable attackers to gain complete administrative access, potentially compromising entire network infrastructures.

Severe Flaws Expose Network Automation Tool

The research highlights an unauthenticated command injection vulnerability (CVE-2025-32813) in the get_saml_request endpoint, where insufficient sanitization of the saml_id parameter allows attackers to execute arbitrary operating system commands.

By crafting a malicious URL, an attacker can run commands like whoami or even escalate to root privileges using sudo /bin/sh, thanks to a permissive entry in the /etc/sudoers file.

Another alarming flaw, an unauthenticated SQL injection (CVE-2025-32814), exists in the login page’s skipjackUsername parameter, enabling attackers to extract sensitive data such as cleartext admin passwords through error-based SQL payloads.

Additionally, hardcoded credentials (CVE-2025-32815) found in configuration files grant access to internal endpoints, which can be exploited for cookie forgery, ultimately leading to admin privilege escalation.

This is achieved by injecting malicious session data into cookie files via vulnerable endpoints like SetRawCookie.tdf, tricking the system into recognizing the attacker as an admin user.

Comprehensive Exploits Detailed for Potential Threats

Further deepening the threat, the disclosure reveals a hardcoded Ruby cookie secret key that facilitates remote code execution (RCE) by crafting malicious session cookies, a known Rails vulnerability exploited via Metasploit modules to gain a root shell.

Authenticated users, or attackers with forged cookies, can exploit an arbitrary file read vulnerability (CVE-2024-54188) through the ViewerFileServlet, accessing sensitive system files like /etc/shadow as root.

Lastly, an authenticated SQL injection (CVE-2024-52874) in the Run.tdf endpoint allows further data extraction, compounding the risk for compromised systems.

These interconnected flaws create a dangerous attack chain, where an initial unauthenticated exploit can cascade into full system takeover without requiring prior access privileges.

Infoblox has responded to these findings, with fixes implemented in NetMRI version 7.6.1, as confirmed in their knowledge base articles released alongside the public disclosure on June 4, 2025.

The vulnerabilities were first reported to Infoblox PSIRT on September 18, 2024, with a detailed timeline of acknowledgment, validation, and CVE assignments culminating in patches for affected systems.

According to the Report, Rhino Security Labs has also published proof-of-concept code on their GitHub repository, emphasizing the urgency for organizations to update their systems.

For network administrators, this serves as a stark reminder of the critical need to patch and monitor network management tools, which are prime targets due to their extensive access across infrastructures.

Failure to address these vulnerabilities could result in catastrophic breaches, exposing sensitive configurations and potentially leading to widespread network compromise.

Immediate action to upgrade to the fixed version and review access logs for suspicious activity is strongly advised to mitigate these high-severity risks.

To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here