CVE-2025-6978 Arbitrary Code Execution in the Arista NG Fire...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.thezdi.com/blog/2026/2/4/cve-2025-6978-arbitrary-code-execution-in-the-arista-ng-firewall
• Blog Title: CVE-2025-6978: Arbitrary Code Execution in the Arista NG Firewall
• Suggested Section: Network Services Pentesting -> 80,443 - Pentesting Web -> Command Injection (include a subsection on JSON-RPC command injection via env vars + eval; blacklist bypass using backticks/command substitution)

🎯 Content Summary

CVE-2025-6978 (blog text describes CVE-2025-6798): Authenticated command injection → root arbitrary code execution in Arista NG Firewall

Product / exposure

Arista NG Firewall (formerly Untangle) can be administered via a Web UI or a JSON-RPC API over HTTP(S). The vulnerable surface is the admin JSON-RPC endpoint reachable via HTTP POST to:

/admin/JSON-RPC

The attack is remote but requires authenticated acces...

🔧 Technical Details

Technique 1 — JSON-RPC → environment variables → shell eval sink: If a JSON-RPC endpoint converts attacker-controlled key/value pairs into environment variables (e.g., KEY=value strings passed via Runtime.getRuntime().exec(cmd, envp)) and a downstream shell script concatenates those environment variables into a command string executed with eval, the environment-variable values become a command-injection primitive. Even with an allow-listed primary “command” argument (enum/switch), attackers can inject via secondary arguments that influence the script’s command construction.

Technique 2 — Blacklist bypass of shell metacharacters: Filtering only a small set of tokens (e.g., ; & | > $() is insufficient because shells provide multiple expansion/command-substitution mechanisms. Unblocked characters (the post highlights backticks `) can still cause command substitution and code e...

🤖 Agent Actions

Summary:

• Added a JSON-RPC–to–env var shell eval injection subsection detailing the allowlist flow, weak blacklist, and backtick-based command substitution exploit path.
• Included a concise POST PoC and network/detection guidance with regex for spotting malicious HOST/URL values in /admin/JSON-RPC traffic.
• Updated references to cite the Arista NG Firewall command injection research.

Tests:

• Not run (not needed for documentation changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.thezdi.com/blog/2026/2/4/cve-2025-6978-arbitrary-code-execution-in-the-arista-ng-firewall

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting -> 80,443 - Pentesting Web -> Command Injection (include a subsection on JSON-RPC command injection via env vars + eval; blacklist bypass using backticks/command substitution)".

Repository Maintenance:

• MD Files Formatting: 944 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0