## https://sploitus.com/exploit?id=2E27957E-5926-55EC-9C16-1C8F6AC98AF7
# CVE-2025-69600
- **author:** Rafael José Núñez Gulías
- **company:** Iberian Var Group
- **Affected products:** RayVentory Scan Engine 12.6 Update 8 and previous versions
- **Raynet advisory:** [RSEC200966](https://support.raynet.de/hc/en-us/articles/46163185339284-RSEC200966-Command-Injection-via-Unsafe-System-Calls-CVE-2025-69600)
Command injection in Raynet's `rvia` allows adversaries to execute commands via `getconfig`, `upload`, `inventory`, and `oracle` options.
A validation is only performed (if configured via the configuration property `ForbiddenCurlChars` in the `/etc/rvia_configuration`) when getting the URL from the `/opt/rvia/rvia.cfg` configuration file and not when the URL is directly passed to the options `getconfig` or `upload`.
```bash
/opt/rvia/rvia getconfig \;command\;
```

Under the hood, the constructed command looks as follows:

Through the option `oracle` it is also possible to inject commands.
> This option might fail if a Java environment is not found by `rvia` (under the hood a call to the `find` command is made) and the `javaPaths` options in the `/opt/rvia/rvia.cfg` is not set
In this case, the `/opt/rvia/rvia.cfg` is defined with the option `javaPaths=/usr/lib/jvm/java-21-openjdk-amd64/`.
```bash
/opt/rvia/rvia oracle \;command\;
```

The constructed command looks like this:

The same occurs at the configuration file (`/opt/rvia/rvia.cfg`) with the options `oracleUser` and `oraclePass`.

The call under the hood is the following one:

The same applies to the `upload` option by specifying a command to execute after the URL specification. In this case a previous scaped of double quotes is needed and also a hashtag at the end of the command to ignore the following arguments.
> This option might fail if there are no inventory files at `/opt/rvia/results` (by default) directory to upload which are created by the inventory option
```bash
/opt/rvia/rvia upload \"\;command\;#
```

From `ltrace` we see the following:

Finally, the `inventory` option is also vulnerable.
```bash
/opt/rvia/rvia inventory \;command\;
```

The constructed command under the hood:
