CVE-2025-58180 is a critical remote code execution vulnerability (CVSS 7.5) in OctoPrint versions ≤ 1.11.2 (patched in 1.11.3, released September 2025). It allows an authenticated attacker with file-upload permissions to execute arbitrary commands on the OctoPrint host, without needing admin rights by uploading a maliciously named G-code file.
Attack Requirements
1. A valid API key or authenticated session (a standard user account with the ability to upload files, such as a typical OctoPrint user).
2. One event handler to execute shell commands that would provide either of two resource types (simple file or file path), will be needed in most real-world cases where people use event handlers to send notifications, run post-processing or trigger automation.
3. OctoPrint ≤ 1.11.2
No admin privileges are needed to trigger the exploit, only the ability to upload files.
Practical Impact
1. Whoever runs the event handler will be executing full remote code , typically, this is done via a Raspberry Pi that runs OctoPrint and does so under the "pi" user, or via another service account/privilege on a Linux system.
2. Normal payloads of Full Remote Code Execution include: reverse shell, persistent, theft of user credentials, lateral movement and drop a crypto miner
3. Full Remote Code Execution exploits have an exceptionally high risk present in 3D printing farms, maker spaces, education labs and anywhere else OctoPrint is exposed to the Internet or shared with untrusted users.
Current Status (February 2026)
1. Patch History for OctoPrint v. 1.11.3 (September 2025)
a) Shell commands will now operate on escape/quote escaped filenames when substituting them into shell commands (previously they did not).
b) Event subsystem has received additional hardening.
2. Instances still vulnerable in the wild, as some Raspberry Pi users have not upgraded, and there are still many images from the past being used by others.
3. No report of someone actually exploiting any of the vulnerable instances in the wild. However, PoC has been publicly available since late September 2025 is indeed trivial to exploit.
Recommendations:
1. Upgrade to OctoPrint version 1.11.3 or newer immediately.
2. Review all event handlers (Settings→Event Manager) and turn off and remove any system event handler that requires {path}, {filename}, or {name} with no escaping.
3. Restrict to upload access by using (granular) API keys (always use read-only where feasible), and enable "feature.enforceReallyUniversalFilenames: true" in your config.yaml.
4. Maintain your network in a secure manner. Avoid placing OctoPrint on the Internet without the protection of a VPN, OctoEverywhere or a reverse proxy that requires a strong username and password, or 2-factor authentication. Make sure you are not running your OctoPrint server as a root or other high-privileged user account.
5. Check for suspicious shell metacharacters in the filenames of any files that you have created by checking for characters like ;, &, $ etc. This will help you determine whether or not there has been an intrusion into your system. Additionally, you should keep an eye out for any unusual subprocess invocations found in the OctoPrint log files.
Source: Exploit DB
February 12, 2026
February 12, 2026
February 12, 2026
September 25, 2024
November 12, 2024
October 09, 2025
© 2016 - 2026 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
