EUVD-2025-208911

| CVE-2025-63261 HIGH
2026-03-20 mitre
7.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 20, 2026 - 20:30 vuln.today
EUVD ID Assigned
Mar 20, 2026 - 20:30 euvd
EUVD-2025-208911
CVE Published
Mar 20, 2026 - 00:00 nvd
HIGH 7.8

Tags

Command Injection

Description

AWStats 8.0 is vulnerable to Command Injection via the open function

Analysis

AWStats 8.0 contains a command injection vulnerability in the open function that allows attackers to execute arbitrary system commands. The vulnerability affects the AWStats web analytics application, and attackers can exploit this flaw to achieve remote code execution on systems running vulnerable versions. A proof-of-concept has been documented in the referenced pentest-tools PDF, indicating practical exploitability.

Technical Context

AWStats is a Perl-based web server log analysis tool that processes log files through CGI scripts. The vulnerability exists in the awstats.pl script within the open function, which likely fails to properly sanitize or validate input parameters before passing them to system command execution routines. This is a classic command injection vulnerability (CWE class) where untrusted user input is concatenated into shell commands without proper escaping or validation. The Perl open function, when used improperly with user-controlled data, can interpret shell metacharacters and execute arbitrary commands with the privileges of the web server process.

Affected Products

AWStats version 8.0 is confirmed as vulnerable. The CPE data provided indicates affected products under the generic CPE structure, though specific vendor CPE strings are not fully defined in the available data. AWStats is an open-source Perl-based web analytics tool distributed via GitHub (https://github.com/eldy/AWStats/blob/develop/wwwroot/cgi-bin/awstats.pl). Users running AWStats 8.0 in production environments, particularly those with internet-facing CGI interfaces, are at immediate risk. The scope of affected installations is potentially broad given AWStats' widespread use in legacy web server environments.

Remediation

Immediately upgrade AWStats to the latest patched version available from the official GitHub repository (https://github.com/eldy/AWStats). If an immediate patch is unavailable, implement strict input validation and sanitization for all user-supplied parameters passed to the open function, ensuring shell metacharacters are properly escaped or rejected. As an interim measure, restrict access to the awstats.pl CGI script using web server access controls (IP whitelisting, authentication), disable the CGI script entirely if not actively in use, and run the web server with minimal privileges to limit the blast radius of code execution. Consider deploying a Web Application Firewall (WAF) with rules to detect and block command injection payloads targeting AWStats endpoints. Monitor system logs and process execution for suspicious activity originating from the web server process.

Priority Score

39
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +39
POC: 0

Share

EUVD-2025-208911 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy