CVE-2025-34300 Scanner

SawtoothSoftware Lighthouse Studio is a sophisticated survey design platform widely used by businesses and researchers to collect and analyze complex survey data. Its intuitive user interface and powerful features allow users to create surveys ranging from simple questionnaires to intricate conjoint analysis studies. The software is deployed in a wide range of sectors, including market research, healthcare, and education, to gain insights that drive decision-making processes. Its ease of integration and extensive customization options make it a valuable tool for professionals seeking in-depth insights into customer and employee preferences. Lighthouse Studio by Sawtooth Software is highly regarded for its advanced analytics capabilities and powerful reporting tools, assisting users in data-driven decision-making.

This particular vulnerability, a Remote Code Execution (RCE), arises due to unsafe coding practices within the software's Perl CGI component, `ciwweb.pl`. The vulnerability stems from improper handling of user input, which is passed to the `eval` function without adequate sanitization. Attackers can exploit this flaw to execute arbitrary code on the server, thereby compromising the integrity and availability of the system. Such a vulnerability can be exploited pre-authentically, meaning attackers don't need prior access or credentials to target the system. The critical impact includes unauthorized access and potential data breaches, leading to significant security risks.

The technical details of the vulnerability involve the misuse of the `eval` function in Lighthouse Studio's CGI script, specifically in `ciwweb.pl`. The component `hid_Random_ACARAT` is the vulnerable endpoint that processes user input. Attackers can manipulate this input to inject malicious Perl code, which is subsequently executed by the server. This severe oversight in input validation allows remote attackers to gain control over server operations. Effectively, it showcases the dangers of using potentially unsafe functions like `eval` in web applications without stringent input validation.

If exploited by malicious actors, this vulnerability could result in unauthorized command execution, data theft, alteration or deletion, and potentially full control over the affected systems. Businesses relying on this software might face data integrity issues, financial losses, compliance violations, and reputational damage. Rapid exploitation could even facilitate further attacks, leveraging compromised systems to infiltrate wider networks.

REFERENCES

• https://slcyber.io/assetnote-security-research-center/rce-in-the-most-popular-survey-software-youve-never-heard-of/
• https://sawtoothsoftware.com/resources/software-downloads/lighthouse-studio
• https://nvd.nist.gov/vuln/detail/CVE-2025-34300