Attackers Can Exploit Lighthouse Studio RCE Bug to Gain Server Access

Researchers at Assetnote have uncovered a critical remote code execution (RCE) vulnerability in Lighthouse Studio, a widely used survey software developed by Sawtooth Software.

This flaw, affecting the Perl CGI scripts that power the web-based survey component, enables unauthenticated attackers to execute arbitrary code on hosting servers simply by accessing a survey link.

Vulnerability in Popular Survey Software Exposed

Given the software’s prevalence in corporate environments where surveys often solicit user input via popups or emails the potential impact is substantial, as organizations may host multiple outdated instances without auto-update mechanisms, amplifying the attack surface to tens or hundreds of script copies per server.

Lighthouse Studio consists of a Windows-based desktop application for survey creation and Perl CGI scripts deployed on web servers, typically Linux Apache setups with mod_cgi.

The vulnerability stems from an insecure templating engine within the scripts, particularly in the ciwweb.pl entry point, which processes ...