CVE-2025-34097
published 2025-07-10CVE-2025-34097: An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with…
PriorityP260high8.6CVSS 4.0
AVNACLATNPRHUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.03%
59.4th percentile
An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install() method is invoked, resulting in execution of attacker-supplied PHP code on the server with the privileges of the web server user. This vulnerability can be chained with CVE-2022-38577 — a privilege escalation flaw in the user profile page — to achieve full remote code execution from a low-privileged account.
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on chained exploitation pattern: privilege escalation via user profile page (CVE-2022-38577) followed by plugin upload activity, indicating RCE attempt from a low-privileged account. ↗
- →Detect Metasploit module exploitation attempts targeting ProcessMaker plugin upload endpoint; the module generates and uploads a crafted plugin to achieve web server-level code execution. ↗
- →Flag ProcessMaker instances running versions prior to 3.5.4 (including 1.6-4276, 2.0.23, 3.0 RC 1, 3.2.0, 3.2.1 on Windows and 3.2.0 on Debian Linux) as vulnerable targets for this exploit. ↗
- ·Exploitation requires administrative credentials; however, this privilege requirement can be bypassed by chaining with CVE-2022-38577 privilege escalation from a low-privileged account. ↗
- ·The vulnerability affects ProcessMaker versions prior to 3.5.4; patching to 3.5.4 or later is the remediation boundary. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://process-maker-authenticated-plugin-upload-rcehttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/processmaker_plugin_upload.rbhttps://vulncheck.com/advisories/process-maker-authenticated-plugin-upload-rcehttps://wiki.processmaker.net/3.0/Plugin_Developmenthttps://www.exploit-db.com/exploits/44399https://www.fortiguard.com/encyclopedia/ips/45757
2025-07-10
Published