Exploit Found in Lighthouse Studio Allows Remote Code Execution, Granting Attackers Control Over Hosting Servers

A critical security vulnerability (CVE-2025-34300) has been discovered in Lighthouse Studio, the widely-used survey software suite developed by Sawtooth Software.

This flaw enables remote code execution (RCE) on web servers hosting their Perl CGI scripts, potentially granting attackers complete control over affected systems.

Assetnote, the security firm that uncovered the bug, warns that the exposed attack surface is substantial, as the vulnerable code is often copied across multiple directories and lacks an auto-update mechanism.

How the Vulnerability Works

Lighthouse Studio’s architecture consists of a Windows-based desktop application for survey creation, and Perl CGI scripts that render and manage surveys on web servers typically running Apache on Linux.

Researchers at Assetnote reverse-engineered the obfuscated server-side scripts and identified a dangerous pattern: user-supplied input is processed through a custom templating engine that evaluates Perl expressions enclosed in [% ... %].

The root cause lies in how the software processes user-provided parameters (e.g., hid_Random_ACARAT).

Any input between square brackets and percent signs is passed directly to a Perl eval function, allowing arbitrary code execution. Attackers can exploit this by submitting specially crafted payloads in HTTP GET requests. For example, accessing:

text/ExampleSurvey/cgi-bin/ciwweb.pl?hid_Random_ACARAT=[%257*7%25]

Would execute the expression 7*7 On the server, with the result embedded in the survey page.

The vulnerability allows escalation, such as passing shell commands in backticks, enabling attackers to run arbitrary system commands and potentially compromise the entire server.

Bypassing Legacy Protections

Earlier versions of Lighthouse Studio attempted to block such injections by inserting spaces within the vulnerable token.

Assetnote ingeniously bypassed this check by submitting duplicate parameters, exploiting the way Perl handles arrays and references, which allowed their payloads to slip past the filter.

Patch Released; Immediate Update Urged

Sawtooth Software released version 9.16.14 on July 9th, 2025, fixing this severe issue after coordinated disclosure by Assetnote.

Organizations using Lighthouse Studio are strongly advised to update immediately to mitigate risk. Given the widespread deployment and tendency for code copying, vulnerable installations may remain exposed for months to come.

This RCE flaw in Lighthouse Studio underscores the dangers of unchecked template evaluation and highlights the importance of robust input validation.

As automated tools and sophisticated techniques become increasingly accessible to both attackers and defenders, organizations must prioritize the prompt patching of widely deployed third-party software components.