cbcvebase.
CVE-2025-34095
published 2025-07-10

CVE-2025-34095: An OS command injection vulnerability exists in Mako Server versions 2.5 and 2.6, specifically within the tutorial interface provided by the examples/save.lsp…

PriorityP178critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
4.42%
90.1th percentile
An OS command injection vulnerability exists in Mako Server versions 2.5 and 2.6, specifically within the tutorial interface provided by the examples/save.lsp endpoint. An unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute() code, which is then persisted on disk and triggered via a subsequent GET request to examples/manage.lsp. This allows remote command execution on the underlying operating system, impacting both Windows and Unix-based deployments.

Affected

1 ranges
VendorProductVersion rangeFixed in
real_time_logicmako_server2.5 – 2.6

Detection & IOCsextracted from sources · hover to see the quote

pathexamples/save.lsp
pathexamples/manage.lsp
commandPUT request containing arbitrary Lua os.execute() code to examples/save.lsp
  • Alert on unauthenticated HTTP PUT requests targeting the path /examples/save.lsp on Mako Server instances (versions 2.5 and 2.6); this is the initial write-stage of the two-step exploit chain.
  • Correlate a PUT to /examples/save.lsp followed by a GET to /examples/manage.lsp from the same source IP — this two-request sequence is the canonical exploit pattern for CVE-2025-34095.
  • Inspect the body of PUT requests to /examples/save.lsp for Lua os.execute() calls, which indicate attempted OS command injection.
  • No authentication is required to exploit this vulnerability; WAF/IDS rules should not rely on session or credential checks to filter these requests.
  • ·The vulnerable endpoint is part of the tutorial/examples interface; deployments that expose this interface publicly (i.e., have not disabled or restricted the examples/tutorial pages) are at risk on both Windows and Unix-based systems.
  • ·Only Mako Server versions 2.5 and 2.6 are confirmed vulnerable; detections should be scoped accordingly but version fingerprinting alone is insufficient — presence of the examples interface must also be confirmed.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.