cbcvebase.
CVE-2025-34097
published 2025-07-10

CVE-2025-34097: An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with…

PriorityP260high8.6CVSS 4.0
AVNACLATNPRHUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.03%
59.4th percentile
An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install() method is invoked, resulting in execution of attacker-supplied PHP code on the server with the privileges of the web server user. This vulnerability can be chained with CVE-2022-38577 — a privilege escalation flaw in the user profile page — to achieve full remote code execution from a low-privileged account.

Detection & IOCsextracted from sources · hover to see the quote

filename.tar
  • Alert on chained exploitation pattern: privilege escalation via user profile page (CVE-2022-38577) followed by plugin upload activity, indicating RCE attempt from a low-privileged account.
  • Detect Metasploit module exploitation attempts targeting ProcessMaker plugin upload endpoint; the module generates and uploads a crafted plugin to achieve web server-level code execution.
  • Flag ProcessMaker instances running versions prior to 3.5.4 (including 1.6-4276, 2.0.23, 3.0 RC 1, 3.2.0, 3.2.1 on Windows and 3.2.0 on Debian Linux) as vulnerable targets for this exploit.
  • ·Exploitation requires administrative credentials; however, this privilege requirement can be bypassed by chaining with CVE-2022-38577 privilege escalation from a low-privileged account.
  • ·The vulnerability affects ProcessMaker versions prior to 3.5.4; patching to 3.5.4 or later is the remediation boundary.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.