CVE-2025-34103
WePresent WiPG-1000 Unauthenticated Command Injection in via rdfs.cgi
An unauthenticated command injection vulnerability exists in WePresent WiPG-1000 firmware versions prior to 2.2.3.0, due to improper input handling in the undocumented /cgi-bin/rdfs.cgi endpoint. The Client parameter is not sanitized before being passed to a system call, allowing an unauthenticated remote attacker to execute arbitrary commands as the web server user.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
WePresent (Barco) · WiPG-1000public PoCs found — 2
cve_referenceraw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/wipg1000_cmd_injection.rbunverifiedcve_referencewww.exploit-db.com/exploits/41935unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/wipg1000_cmd_injection.rbhttps://www.exploit-db.com/exploits/41935https://www.redguard.ch/advisories/wepresent-wipg1000.txthttps://www.vulncheck.com/advisories/we-present-wi-pg-1000-unauthenticated-command-injection