CVE-2025-34095
Published: 10 July 2025
Summary
CVE-2025-34095 is a critical-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
An OS command injection vulnerability affects Mako Server versions 2.5 and 2.6 within the tutorial interface at the examples/save.lsp endpoint. Tracked as CWE-78 with a CVSS 4.0 score of 9.3, the flaw allows arbitrary Lua os.execute() commands to be supplied in a PUT request; the payload is written to disk and later executed when examples/manage.lsp is accessed via GET, impacting both Windows and Unix deployments.
Unauthenticated remote attackers can exploit the issue without user interaction or credentials. By chaining the PUT and GET requests, an adversary achieves arbitrary command execution on the underlying operating system, enabling full compromise of the host.
Public exploit artifacts are referenced in a Rapid7 Metasploit module, a VulnCheck advisory, and an Exploit-DB entry. The EPSS score is currently 0.6661 at its observed peak, reflecting substantial exploitation probability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21031
Vulnerability details
An OS command injection vulnerability exists in Mako Server versions 2.5 and 2.6, specifically within the tutorial interface provided by the examples/save.lsp endpoint. An unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute() code, which is then…
more
persisted on disk and triggered via a subsequent GET request to examples/manage.lsp. This allows remote command execution on the underlying operating system, impacting both Windows and Unix-based deployments.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.