A high-severity vulnerability has been identified in RaspAP webgui versions prior to 3. This flaw could allow an unauthenticated remote attacker to execute arbitrary commands on the affected device, leading to a full system compromise. Successful exploitation could result in data theft, network disruption, or the use of the compromised device to launch further attacks against the internal network.

The vulnerability is a command injection flaw within the web-based management interface of RaspAP. An unauthenticated attacker can send a specially crafted HTTP request to a specific API endpoint that fails to properly sanitize user-supplied input. This input is then passed directly to a system shell command, allowing the attacker to inject and execute arbitrary commands on the underlying operating system with the privileges of the web server user.

This vulnerability presents a significant risk to the organization, classified as High severity with a CVSS score of 8.8. An attacker successfully exploiting this flaw could gain complete control over the RaspAP device. This could lead to severe consequences, including the interception and theft of sensitive network traffic, unauthorized access to internal network segments, deployment of malware, and disruption of network services. A compromised RaspAP device could serve as a persistent foothold for an attacker to pivot and escalate their attack across the corporate network.

Immediate Action: Immediately identify all instances of RaspAP raspap-webgui within the environment and upgrade them to version 3.0 or later, as recommended by the vendor. After patching, review web server and system access logs for any signs of compromise or unusual activity preceding the update.

Proactive Monitoring: Monitor web server logs for suspicious requests containing shell metacharacters (e.g., ;, |, &, $(, `) directed at the RaspAP interface. System-level monitoring should be configured to alert on unexpected processes being spawned by the web server user (e.g., www-data). Network monitoring should focus on identifying anomalous outbound traffic from RaspAP devices.

Compensating Controls: If immediate patching is not feasible, restrict network access to the RaspAP management interface to a dedicated, trusted administrative network or specific IP addresses. If the interface must be exposed, place it behind a Web Application Firewall (WAF) with rulesets configured to detect and block command injection attempts.

Public Exploit Available: false

Given the high severity of this vulnerability and the potential for complete system compromise, we strongly recommend that organizations prioritize the immediate patching of all affected RaspAP devices. Although this CVE is not currently listed on the CISA KEV catalog, its high-impact nature makes it a prime target for future exploitation. All internet-facing instances should be considered critically at risk and addressed immediately, followed by internal instances to prevent lateral movement by an attacker.