CVE-2025-1184 in PiHome
Summary
by MITRE • 02/12/2025
A vulnerability was found in pihome-shc PiHome 1.77 and classified as critical. Affected by this issue is some unknown functionality of the file /ajax.php?Ajax=GetModal_MQTTEdit. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/17/2025
The vulnerability identified as CVE-2025-1184 represents a critical sql injection flaw within the pihome-shc PiHome 1.77 system, specifically impacting the /ajax.php endpoint with the GetModal_MQTTEdit functionality. This vulnerability resides in the web application's handling of user-supplied input through the id parameter, creating a pathway for malicious actors to execute unauthorized database operations. The affected component operates within the context of a home automation system that manages mqtt broker configurations, making it a particularly concerning target for attackers seeking to compromise domestic smart home environments.
The technical exploitation of this vulnerability occurs through the manipulation of the id argument in the Ajax=GetModal_MQTTEdit request parameter, which directly influences how the application processes database queries. When the application fails to properly sanitize or validate the id input before incorporating it into sql statements, attackers can inject malicious sql code that bypasses authentication mechanisms and gains unauthorized access to the underlying database. This flaw falls under the common weakness enumeration CWE-89, which specifically addresses sql injection vulnerabilities, and aligns with attack techniques documented in the attack tree framework where adversaries target web application input validation weaknesses to achieve persistent database access. The remote attack vector means that exploitation does not require physical access to the system, making it particularly dangerous for home automation networks that may be exposed to external networks.
The operational impact of this vulnerability extends beyond simple data theft, as successful exploitation could allow attackers to modify mqtt broker configurations, potentially leading to unauthorized access to connected smart devices or complete compromise of the home automation ecosystem. The disclosed exploit status indicates that threat actors have already developed working attack code, significantly increasing the risk to affected systems. This vulnerability represents a critical security gap in the pihome-shc platform's input validation mechanisms, as it demonstrates how a single unvalidated parameter can create a complete database compromise. The implications are particularly severe for home networks where the pihome system serves as a central hub for managing various connected devices, potentially enabling attackers to gain control over lighting, security systems, climate control, and other automated functions.
Organizations and individuals utilizing pihome-shc PiHome 1.77 should immediately implement mitigation strategies including input validation and parameterized queries to prevent sql injection attacks. The recommended approach involves implementing proper input sanitization routines that filter or escape special sql characters from all user-supplied parameters, particularly those used in database operations. Additionally, implementing web application firewalls and database access controls can provide additional layers of protection. The vulnerability also highlights the importance of keeping home automation systems updated with the latest security patches, as this flaw represents a preventable issue that could have been addressed through proper code review and security testing practices. System administrators should conduct immediate vulnerability assessments to identify any potential exploitation attempts and consider network segmentation to limit the impact of successful attacks on the broader home network infrastructure.