cbcvebase.
CVE-2025-34102
published 2025-07-10

CVE-2025-34102: A remote code execution vulnerability exists in CryptoLog (PHP version, discontinued since 2009) due to a chained exploitation of SQL injection and command…

PriorityP275critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
6.77%
93.2th percentile
A remote code execution vulnerability exists in CryptoLog (PHP version, discontinued since 2009) due to a chained exploitation of SQL injection and command injection vulnerabilities. An unauthenticated attacker can gain shell access as the web server user by first exploiting a SQL injection flaw in login.php to bypass authentication, followed by command injection in logshares_ajax.php to execute arbitrary operating system commands. The login bypass is achieved by submitting crafted SQL via the user POST parameter. Once authenticated, the attacker can abuse the lsid POST parameter in the logshares_ajax.php endpoint to inject and execute a command using $(...) syntax, resulting in code execution under the web context. This exploitation path does not exist in the ASP.NET version of CryptoLog released since 2009.

Affected

1 ranges
VendorProductVersion rangeFixed in
crypttechcryptolog>= unspecified PHP versions < ASP.NET rewrite (2009)ASP.NET rewrite (2009)

Detection & IOCsextracted from sources · hover to see the quote

path/login.php
path/logshares_ajax.php
commandPOST parameter: user (SQL injection payload for auth bypass)
commandPOST parameter: lsid (command injection via $(...) syntax)
  • Monitor HTTP POST requests to login.php for SQL injection patterns in the 'user' parameter (e.g., quote characters, boolean logic, comment sequences) indicative of authentication bypass attempts.
  • Monitor HTTP POST requests to logshares_ajax.php for the 'lsid' parameter containing shell command substitution syntax such as $(...) which indicates command injection exploitation.
  • Alert on unauthenticated access to logshares_ajax.php — this endpoint requires a valid session, so a session obtained via SQL injection bypass followed immediately by a POST to this endpoint is a strong indicator of chained exploitation.
  • Correlate web server process spawning unexpected child shell processes (e.g., /bin/sh, /bin/bash) from the web server user context as a post-exploitation indicator of successful RCE.
  • ·This vulnerability only affects the PHP version of CryptoLog (discontinued since 2009). The ASP.NET version is NOT affected. Ensure detection rules are scoped to environments still running the legacy PHP deployment.
  • ·The Metasploit module targets Linux HTTP servers running the PHP CryptoLog application; detection and response efforts should be prioritized on Linux-based web server hosts.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.