Critical Arbitrary Code Execution Vulnerability in AWStats Fixed for Fedora 42 and 43

Severity: High (Score: 70.5)

Sources: Linuxsecurity

Summary

A critical vulnerability (CVE-2025-63261) affecting AWStats, a web server log analyzer, was published on March 20, 2026. This vulnerability allows for arbitrary code execution via command injection, impacting users of Fedora 42 and Fedora 43. The flaw was addressed in updates released on April 10, 2026, with Fedora 42 receiving version 8.0-1 and Fedora 43 receiving version 8.0-2. Users are advised to update their systems using the 'dnf' package manager to mitigate the risk. The vulnerability affects various web server environments, including Apache and IIS, and can allow attackers to execute arbitrary commands on the server. The updates are crucial for maintaining the security of systems using AWStats. The scope of impact includes any installations of AWStats on the specified Fedora versions. Key Points: • CVE-2025-63261 allows arbitrary code execution via command injection in AWStats. • Fedora 42 and 43 received critical updates on April 10, 2026, to address this vulnerability. • Users must update their systems using 'dnf' to protect against potential exploitation.

Key Entities

• Zero-day Exploit (attack_type)
• CVE-2025-63261 (cve)
• CWE-78 - OS Command Injection (cwe)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• Apache (platform)
• IIS (platform)
• Squid (platform)
• WebLogic (platform)
• Webstar (platform)