- • A critical remote code execution vulnerability, CVE-2025-34300, has been identified in Lighthouse Studio, affecting its Perl CGI scripts used for web-based surveys.
- • The vulnerability allows unauthenticated attackers to execute arbitrary code on hosting servers by simply accessing a survey link, posing a significant risk to organizations using outdated software.
- • Thousands of hosting servers could be compromised, especially in corporate environments where multiple instances of Lighthouse Studio may be deployed without auto-update mechanisms.
- • Immediate actions required include assessing the deployment of Lighthouse Studio and applying available patches or implementing mitigations to restrict access to survey links.
- • No specific threat actor attribution has been mentioned, but the widespread nature of the vulnerability suggests a high likelihood of exploitation.
A critical remote code execution vulnerability (CVE-2025-34300) in Lighthouse Studio, a survey software developed by Sawtooth Software, allows unauthenticated attackers to execute arbitrary code on hosting servers via survey links. This flaw poses a substantial risk to organizations, particularly those with outdated software versions, potentially exposing thousands of servers to compromise. Security teams must assess their use of Lighthouse Studio, apply available patches, and implement access controls to mitigate risks. Immediate actions include restricting public access to survey links and monitoring for unusual activity on affected servers.