CVE-2025-34095
published 2025-07-10CVE-2025-34095: An OS command injection vulnerability exists in Mako Server versions 2.5 and 2.6, specifically within the tutorial interface provided by the examples/save.lsp…
PriorityP178critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
4.42%
90.1th percentile
An OS command injection vulnerability exists in Mako Server versions 2.5 and 2.6, specifically within the tutorial interface provided by the examples/save.lsp endpoint. An unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute() code, which is then persisted on disk and triggered via a subsequent GET request to examples/manage.lsp. This allows remote command execution on the underlying operating system, impacting both Windows and Unix-based deployments.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| real_time_logic | mako_server | 2.5 – 2.6 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on unauthenticated HTTP PUT requests targeting the path /examples/save.lsp on Mako Server instances (versions 2.5 and 2.6); this is the initial write-stage of the two-step exploit chain. ↗
- →Correlate a PUT to /examples/save.lsp followed by a GET to /examples/manage.lsp from the same source IP — this two-request sequence is the canonical exploit pattern for CVE-2025-34095. ↗
- →Inspect the body of PUT requests to /examples/save.lsp for Lua os.execute() calls, which indicate attempted OS command injection. ↗
- →No authentication is required to exploit this vulnerability; WAF/IDS rules should not rely on session or credential checks to filter these requests. ↗
- ·The vulnerable endpoint is part of the tutorial/examples interface; deployments that expose this interface publicly (i.e., have not disabled or restricted the examples/tutorial pages) are at risk on both Windows and Unix-based systems. ↗
- ·Only Mako Server versions 2.5 and 2.6 are confirmed vulnerable; detections should be scoped accordingly but version fingerprinting alone is insufficient — presence of the examples interface must also be confirmed. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2025-07-10
Published