Infoblox’s NetMRI, a widely used network automation and configuration management solution, has been found to contain six highly critical vulnerabilities in its virtual appliance version 7.5.4.104695.
Security researchers have demonstrated that, in combination, these flaws allow attackers to achieve unauthenticated and authenticated remote code execution, obtain admin credentials, and ultimately gain full administrative control across network infrastructures deployed with NetMRI.
The vendor has addressed the issues in the recently released version 7.6.1, and immediate patching is strongly advised.
Widespread Exploitable Flaws in Infoblox NetMRI
The most notable among the vulnerabilities is CVE-2025-32813, an unauthenticated command injection in the get_saml_request endpoint.
By exploiting poor input sanitization of the ‘saml _ id’ parameter, a remote attacker can execute arbitrary OS commands on the underlying system, including gaining root shell access via an insecure configuration in the sudoers file.
According to Rhino Security Labs, this allows complete takeover of the NetMRI appliance without prior authentication.
Adding to the severity, a hardcoded Ruby session cookie secret key enables attackers to craft malicious session cookies, facilitating further remote code execution.
This issue, referencing the older CVE-2013-0156 for Ruby on Rails, is exacerbated by the fact that the secret is identical across all VM instances, leaving every unpatched deployment vulnerable to the same attack.
Attackers can use Metasploit or similar frameworks to escalate privileges directly to root.
CVE-2025-32814 exposes an unauthenticated SQL injection flaw in the login mechanism’s skipjack Username parameter, enabling attackers to execute arbitrary SQL queries and exfiltrate sensitive information, such as the cleartext admin password, via error-based SQLi payloads.
This could quickly lead to credential compromise and unauthorized administrative access.
Another critical issue, CVE-2025-32815, results from hardcoded credentials stored within the appliance’s configuration files.
Attackers with knowledge of these can authenticate to specific internal endpoints, such as SetRawCookie.tdf and SetCookie.tdf.
These endpoints are themselves vulnerable to newline injection, allowing adversaries to forge session cookies and impersonate admin users, thus bypassing regular authentication controls through privilege escalation by cookie forgery.
Patch Urgently Recommended
The appliance is also affected by CVE-2024-54188, an arbitrary file read flaw exploitable by authenticated users. A vulnerable Java servlet designed for report generation can be manipulated to disclose system files, including / etc / shadow, running as the root user.
This not only exposes sensitive data but also potentially enables further lateral movement within the environment.
Finally, CVE-2024-52874 enables authenticated SQL injection in the Run (.) tdf endpoint via the Scripts parameter.
Attackers who have already gained a foothold (through the above-described weaknesses or otherwise) can retrieve additional sensitive information, including decrypted admin credentials, and potentially tamper with the configuration database.
Researchers have published proof-of-concept exploits for each vulnerability, as well as detailed walkthroughs demonstrating how attackers could chain these exploits for maximum impact.
Due to the unauthenticated nature of several flaws including unauthenticated RCE and full admin bypass the window between disclosure and mass exploitation is expected to be very narrow.
Infoblox has released fixes in version 7.6.1 and corresponding KB articles for each CVE. Organizations running NetMRI 7.5.4.104695 or older should immediately update their appliances and review system access for potential compromise.
Technical details and mitigation guidance have been made available by both the vendor and the researchers.
Given the ease of exploitation and severity, these vulnerabilities are considered critical threats to any unpatched NetMRI deployment.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update
