Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-54123

CVE-2025-54123: Hoverfly Command Injection RCE Vulnerability

CVE-2025-54123 is a command injection vulnerability in Hoverfly's middleware API endpoint that enables remote code execution. Attackers can execute arbitrary commands on systems running vulnerable versions. This article covers technical details, affected versions, impact, and mitigation steps.

Published: March 11, 2026

CVE-2025-54123 Overview

CVE-2025-54123 is a critical command injection vulnerability affecting Hoverfly, an open source API simulation tool. The vulnerability exists in the middleware management API endpoint /api/v2/hoverfly/middleware where insufficient input validation and sanitization allows attackers to inject and execute arbitrary system commands. This flaw enables unauthenticated remote code execution (RCE) on any system running vulnerable Hoverfly versions 1.11.3 and prior.

Critical Impact

Unauthenticated attackers can achieve full remote code execution on affected Hoverfly instances, potentially leading to complete system compromise, data exfiltration, and lateral movement within the network.

Affected Products

  • Hoverfly versions 1.11.3 and prior
  • All Hoverfly deployments with the middleware API endpoint exposed
  • Systems running Hoverfly with default configurations

Discovery Timeline

  • September 10, 2025 - CVE-2025-54123 published to NVD
  • September 17, 2025 - Last updated in NVD database

Technical Details for CVE-2025-54123

Vulnerability Analysis

This command injection vulnerability stems from a combination of three distinct code-level flaws in the Hoverfly codebase. The vulnerability allows attackers to pass malicious input through the middleware API endpoint, which is then directly passed to system command execution without proper sanitization. Since Hoverfly executes middleware as local processes with the privileges of the Hoverfly service, successful exploitation grants attackers the ability to run arbitrary commands, upload malicious payloads, or establish reverse shells on the host server.

The attack can be executed remotely over the network without requiring authentication or user interaction, making it particularly dangerous for internet-exposed Hoverfly instances. The impact encompasses complete compromise of confidentiality, integrity, and availability of the affected system.

Root Cause

The vulnerability results from three interconnected code flaws:

  1. Insufficient Input Validation in middleware.go (lines 94-96) - The middleware configuration accepts user input without adequate validation
  2. Unsafe Command Execution in local_middleware.go (lines 14-19) - User-controlled input is passed directly to system command execution functions
  3. Immediate Execution During Testing in hoverfly_service.go (line 173) - The middleware is executed immediately when set, allowing instant exploitation

Attack Vector

The attack is network-based, targeting the /api/v2/hoverfly/middleware endpoint. An attacker sends a specially crafted HTTP request to the middleware API containing malicious command injection payloads. The lack of input sanitization means shell metacharacters and command sequences are interpreted by the underlying operating system, enabling arbitrary command execution with the privileges of the Hoverfly process.

go
// Security patch in core/admin.go - Disabled set middleware api by default
// Source: https://github.com/SpectoLabs/hoverfly/commit/17e60a9bc78826deb4b782dca1c1abd3dbe60d40

 		&v2.HoverflyHandler{Hoverfly: hoverfly},
 		&v2.HoverflyDestinationHandler{Hoverfly: hoverfly},
 		&v2.HoverflyModeHandler{Hoverfly: hoverfly},
-		&v2.HoverflyMiddlewareHandler{Hoverfly: hoverfly},
+		&v2.HoverflyMiddlewareHandler{Hoverfly: hoverfly, Enabled: hoverfly.Cfg.EnableMiddlewareAPI},
 		&v2.HoverflyUsageHandler{Hoverfly: hoverfly},
 		&v2.HoverflyVersionHandler{Hoverfly: hoverfly},
 		&v2.HoverflyUpstreamProxyHandler{Hoverfly: hoverfly},

Detection Methods for CVE-2025-54123

Indicators of Compromise

  • Unexpected HTTP PUT requests to /api/v2/hoverfly/middleware endpoint
  • Suspicious process spawning from the Hoverfly process (e.g., sh, bash, cmd.exe, powershell.exe)
  • Outbound network connections from Hoverfly to unusual IP addresses (potential reverse shell activity)
  • Unusual file system modifications or new files created by the Hoverfly process

Detection Strategies

  • Monitor web server logs for PUT requests to /api/v2/hoverfly/middleware containing shell metacharacters (;, |, &&, $(), backticks)
  • Implement network-level intrusion detection rules to flag suspicious payloads targeting Hoverfly middleware endpoints
  • Deploy endpoint detection to monitor for child process creation from Hoverfly service processes
  • Utilize SentinelOne's behavioral AI to detect anomalous command execution patterns originating from API simulation tools

Monitoring Recommendations

  • Enable verbose logging for the Hoverfly admin API and forward logs to a SIEM for correlation analysis
  • Configure alerting for any successful middleware configuration changes via the API
  • Monitor system call activity from the Hoverfly process for execution of shell interpreters or system utilities
  • Implement network segmentation to restrict access to the Hoverfly admin API from untrusted networks

How to Mitigate CVE-2025-54123

Immediate Actions Required

  • Upgrade Hoverfly to version 1.12.0 or later, which disables the set middleware API by default
  • If immediate upgrade is not possible, restrict network access to the /api/v2/hoverfly/middleware endpoint using firewall rules or reverse proxy configurations
  • Audit existing Hoverfly deployments to identify any internet-exposed instances
  • Review system logs for evidence of exploitation attempts against the middleware endpoint

Patch Information

The vulnerability has been addressed in Hoverfly version 1.12.0 through commit 17e60a9bc78826deb4b782dca1c1abd3dbe60d40, which disables the set middleware API by default. Additional documentation updates were made in commit a9d4da7bd7269651f54542ab790d0c613d568d3e to inform users of the security implications of exposing the middleware API. For complete details, refer to the GitHub Security Advisory GHSA-r4h8-hfp2-ggmf.

Workarounds

  • Use the new -enable-middleware-api=false flag (default in version 1.12.0) to explicitly disable the vulnerable API endpoint
  • Implement network-level access controls to block external access to the Hoverfly admin API
  • Deploy a web application firewall (WAF) with rules to detect and block command injection payloads
  • Run Hoverfly with minimal system privileges to limit the impact of successful exploitation
bash
# Configuration example - Starting Hoverfly with middleware API disabled (default in 1.12.0+)
hoverfly -enable-middleware-api=false

# For versions prior to 1.12.0, use network restrictions
# Example iptables rule to restrict admin API access to localhost only
iptables -A INPUT -p tcp --dport 8888 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 8888 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechHoverfly
  • SeverityCRITICAL
  • CVSS Score9.8
  • EPSS Probability47.29%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-20
  • CWE-78
  • Technical References
  • GitHub Hoverfly Service Code
  • GitHub Local Middleware Code
  • GitHub Middleware Code
  • Vendor Resources
  • GitHub Commit 17e60a9
  • GitHub Commit a9d4da7
  • GitHub Security Advisory GHSA-r4h8-hfp2-ggmf
  • Related CVEs
  • CVE-2025-54376: Hoverfly Information Disclosure Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English