CVE-2025-27590 Overview
CVE-2025-27590 is a critical authentication bypass vulnerability in Oxidized Web (oxidized-web) before version 0.15.0. The vulnerability exists in the RANCID migration page, which allows an unauthenticated user to gain complete control over the Linux user account running the oxidized-web service. This represents a severe security flaw that could lead to full system compromise, as attackers can execute arbitrary commands with the privileges of the oxidized-web process owner.
Critical Impact
Unauthenticated attackers can gain complete control over the Linux user account running oxidized-web, potentially leading to full system compromise, credential theft, and lateral movement within the network infrastructure.
Affected Products
- Oxidized Web versions prior to 0.15.0
- oxidized-web RANCID migration functionality
- Systems running oxidized-web with exposed network interfaces
Discovery Timeline
- 2025-03-03 - CVE-2025-27590 published to NVD
- 2025-03-10 - Last updated in NVD database
Technical Details for CVE-2025-27590
Vulnerability Analysis
This vulnerability affects the RANCID migration functionality within Oxidized Web, a web interface for the Oxidized network device configuration backup tool. The core issue stems from missing authentication controls on the migration page, which processes sensitive file operations and credential handling. The RANCID migration feature was designed to help administrators transition from RANCID (Really Awesome New Cisco confIg Differ) to Oxidized by parsing configuration files including cloginrc files that contain network device credentials.
The vulnerability allows any unauthenticated remote attacker with network access to the oxidized-web interface to invoke the migration functionality. Since this functionality processes file uploads and handles credential files, an attacker can leverage it to gain control over the user account context in which oxidized-web operates.
Root Cause
The root cause is the complete absence of authentication and authorization controls on the RANCID migration page. The Oxidized::API::Mig class in lib/oxidized/web/mig.rb accepted file uploads and processed sensitive credential files without verifying that the requesting user was authenticated or authorized to perform such operations. This represents a broken access control vulnerability (CWE-22) where path traversal and unauthenticated access combine to allow complete account takeover.
Attack Vector
The attack vector is network-based and requires no user interaction or authentication. An attacker can:
- Access the oxidized-web interface over the network
- Navigate to the RANCID migration page without authentication
- Upload malicious content through the file upload mechanism
- Exploit the credential parsing functionality to manipulate the system
The vulnerability is particularly dangerous because oxidized-web typically runs with elevated privileges to access and back up network device configurations, meaning successful exploitation grants access to network infrastructure credentials.
The security patch completely removes the vulnerable RANCID migration functionality:
-module Oxidized
- module API
- class Mig
- def initialize(hash_router_db, cloginrc, path_new_router)
- @hash_router_db = hash_router_db
- @cloginrc = cloginrc
- @path_new_router = path_new_router
- end
-
- # read cloginrc and return a hash with node name, which a hash value which contains user,
- # password, eventually enable
- def cloginrc(clogin_file)
- close_file = clogin_file
- file = close_file.read
- file = file.gsub('add', '')
-
- hash = {}
- file.each_line do |line|
- # stock all device name, and password and enable if there is one
- line = line.split
- (0..line.length).each do |i|
- if line[i] == 'user'
- # add the equipment and user if not exist
- hash[line[i + 1]] = { user: line[i + 2] } unless hash[line[i + 1]]
- # if the equipment exist, add password and enable password
- elsif line[i] == 'password'
- if hash[line[i + 1]]
- if line.length > i + 2
- h = hash[line[i + 1]]
- h[:password] = line[i + 2]
Source: GitHub Security Commit
The associated JavaScript functionality was also removed:
-// Add a line for a new file to upload
-var add_file_upload = function() {
- var rancidDbDiv = $("div[id^='rancidDb']:last");
- var num = parseInt(rancidDbDiv.prop("id").match(/\d+/g)) + 1;
- rancidDbDiv.clone(true)
- .prop("id", "rancidDb" + num)
- .insertAfter(rancidDbDiv);
- $("input[id^='file']:last")
- .prop("id", "file" + num)
- .prop("name", "file" + num)
- .parents('.input-group')
- .find(':text')
- .val('');
- $("input[id^='group']:last")
- .prop("id", "group" + num)
- .prop("name", "group" + num);
-};
Source: GitHub Security Commit
Detection Methods for CVE-2025-27590
Indicators of Compromise
- Unexpected HTTP requests to RANCID migration endpoints (e.g., /migrate, /mig)
- Unauthorized file upload activity to the oxidized-web service
- Unusual process execution under the oxidized-web user account
- Changes to oxidized configuration files or router database files
- Network connections from the oxidized-web host to unexpected destinations
Detection Strategies
- Monitor web server access logs for requests to migration-related URLs from external or unauthorized IP addresses
- Implement network intrusion detection rules to identify exploitation attempts targeting oxidized-web endpoints
- Deploy file integrity monitoring on oxidized configuration directories
- Configure alerting for any new processes spawned by the oxidized-web user account
Monitoring Recommendations
- Enable detailed logging for all oxidized-web HTTP requests and file operations
- Monitor the oxidized-web user account for suspicious activity including new SSH keys, cron jobs, or shell history changes
- Implement network segmentation alerts if the oxidized-web host attempts connections to unusual internal or external hosts
- Review authentication logs for the host system running oxidized-web for unauthorized access attempts
How to Mitigate CVE-2025-27590
Immediate Actions Required
- Upgrade oxidized-web to version 0.15.0 or later immediately
- Restrict network access to oxidized-web interfaces using firewall rules to trusted management networks only
- Audit the oxidized-web host for signs of compromise including unauthorized SSH keys, modified configurations, and unexpected processes
- Rotate all credentials that may have been accessible through oxidized (network device passwords, enable secrets)
- Review logs for any prior unauthorized access to the migration functionality
Patch Information
The vulnerability has been addressed in oxidized-web version 0.15.0. The fix completely removes the vulnerable RANCID migration page functionality rather than adding authentication, eliminating the attack surface entirely. Organizations should upgrade to version 0.15.0 or later by updating their oxidized-web installation. The security fix is available in commit a5220a0ddc57b85cd122bffee228d3ed4901668e. See the official release on GitHub for upgrade instructions.
Workarounds
- Block all network access to the oxidized-web interface except from trusted management hosts using host-based or network firewalls
- Place oxidized-web behind a reverse proxy with authentication requirements
- If RANCID migration is not needed, manually remove or disable the migration functionality by deleting lib/oxidized/web/mig.rb
- Run oxidized-web in a containerized or sandboxed environment to limit the impact of potential compromise
# Configuration example - Restrict access using iptables
# Allow only management network to access oxidized-web (default port 8888)
iptables -A INPUT -p tcp --dport 8888 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8888 -j DROP
# Alternative: Use nginx as reverse proxy with basic auth
# /etc/nginx/sites-available/oxidized-web
# location / {
# auth_basic "Restricted";
# auth_basic_user_file /etc/nginx/.htpasswd;
# proxy_pass http://127.0.0.1:8888;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
