Multiple vulnerabilities reported in Infoblox NetMRI Network Management Platform, at least one critical
Take action: If you're running Infoblox NetMRI version 7.5.4.104695 or earlier upgrade to 7.6.1. There are a bunch of security vulnerabilities that could allow complete system takeover. A mitigation measure is restricting network access to your NetMRI systems, but that doesn't really helo long term. Don't delay this one, there are too many flaws to just isolate the system.
Learn More
Infoblox has patched multiple security vulnerabilities in its NetMRI network automation and configuration management solution.
The vulnerabilities were reported by security researchers at Rhino Security Labs and could enable attackers to achieve complete system compromise through various attack vectors including unauthenticated command injection, SQL injection, and privilege escalation techniques.
Vulnerabilities summary:
- CVE-2025-32814 (CVSS score 9.8) - Unauthenticated SQL Injection via skipjackUsername parameter. It exists in an endpoint designed to retrieve SAML requests where insufficient sanitization of the saml_id parameter allows attackers to execute arbitrary operating system commands. The vulnerability stems from improper input validation in the application controller where user-supplied data is directly concatenated into system commands executed via IO.popen. Attackers can exploit this flaw by crafting malicious URLs that inject commands such as
whoamior escalate to root privileges usingsudo /bin/sh, facilitated by a permissive entry in the system's sudoers file that grants the netmri user passwordless access to shell commands. - CVE-2024-52874 (CVSS score 8.4) - Authenticated SQL Injection in Run.tdf endpoint. It affects the login page through the skipjackUsername GET parameter, enabling attackers to extract sensitive database information including cleartext administrator passwords. This vulnerability was identified through verbose error messages when special characters were inserted into the username field, allowing for error-based SQL injection attacks using the application's built-in NetmriDecrypt function to expose stored credentials.
- CVE-2013-0156 (CVSS score 7.3) - Remote Code Execution via Hardcoded Ruby Cookie Secret Key. The hardcoded Ruby on Rails session cookie signing key in located at
/skipjack/app/rails/config/session_secret.txt, remains identical across all virtual machine installations. This secret enables remote code execution through malicious session cookie crafting. - CVE-2025-32813 (CVSS score 7.2) - Unauthenticated Command Injection in get_saml_request endpoint
- CVE-2025-32815 (CVSS score 6.5) - Authentication Bypass via Hardcoded Process Manager Credentials. It exploits hardcoded Process Manager credentials found in configuration files including
/tools/skipjack/app/WEB-INF/conf/syslog.cfg. These credentials provide access to internal endpoints that can be leveraged for cookie forgery attacks. By exploiting newline injection vulnerabilities in the SetRawCookie.tdf and SetCookie.tdf endpoints, attackers can create forged session files containingUserName=adminentries, effectively granting full administrative access to the NetMRI application. - CVE-2024-54188 (CVSS score 5.3) - Authenticated Arbitrary File Read as Root via ViewerFileServlet
Affected versions include Infoblox NetMRI version 7.5.4.104695 and earlier versions of the virtual appliance.
Infoblox has addressed these vulnerabilities by releasing patches in NetMRI version 7.6.1. The vendor has published individual knowledge base articles for each CVE on their support portal, providing specific guidance for affected customers.
Organizations should verify their current NetMRI version and upgrade to version 7.6.1 or later.
