Cyber Resilience

CVE-2025-34041

CriticalPublic PoCRCE

Published: 24 June 2025

Published
24 June 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0375 88.3th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34041 is a critical-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 11.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

An OS command injection vulnerability, tracked as CVE-2025-34041 and assigned CWE-78, affects the Chinese-language builds of the Sangfor Endpoint Detection and Response (EDR) management platform in versions 3.2.16, 3.2.17, and 3.2.19. The flaw resides in the EDR Manager interface and carries a maximum CVSS score of 10.0, reflecting network-accessible unauthenticated attack vectors that result in complete confidentiality, integrity Availability impacts on both the vulnerable component and its host environment.

Unauthenticated remote attackers can exploit the issue by crafting and sending malicious HTTP requests to the management interface, achieving arbitrary operating-system command execution with elevated privileges. The vulnerability is restricted to the Chinese-language EDR builds and does not affect other language variants.

Exploitation evidence was recorded by the Shadowserver Foundation on 2025-02-04 UTC, several months prior to the CVE's publication date. The EPSS score has remained flat at a peak and current value of 0.0375 with no material increase. Public advisories and technical details are available from VulnCheck, CNVD, and Sangfor.

EU & UK References

Vulnerability details

An OS command injection vulnerability exists in the Chinese versions of Sangfor Endpoint Detection and Response (EDR) management platform versions 3.2.16, 3.2.17, and 3.2.19. The vulnerability allows unauthenticated attackers to construct and send malicious HTTP requests to the EDR Manager…

more

interface, leading to arbitrary command execution with elevated privileges. This flaw only affects the Chinese-language EDR builds. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Chinese
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References