Cyber Resilience

CVE-2025-34095

CriticalPublic PoCRCE

Published: 10 July 2025

Published
10 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.6661 98.6th percentile
Risk Priority 59 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34095 is a critical-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

An OS command injection vulnerability affects Mako Server versions 2.5 and 2.6 within the tutorial interface at the examples/save.lsp endpoint. Tracked as CWE-78 with a CVSS 4.0 score of 9.3, the flaw allows arbitrary Lua os.execute() commands to be supplied in a PUT request; the payload is written to disk and later executed when examples/manage.lsp is accessed via GET, impacting both Windows and Unix deployments.

Unauthenticated remote attackers can exploit the issue without user interaction or credentials. By chaining the PUT and GET requests, an adversary achieves arbitrary command execution on the underlying operating system, enabling full compromise of the host.

Public exploit artifacts are referenced in a Rapid7 Metasploit module, a VulnCheck advisory, and an Exploit-DB entry. The EPSS score is currently 0.6661 at its observed peak, reflecting substantial exploitation probability.

EU & UK References

Vulnerability details

An OS command injection vulnerability exists in Mako Server versions 2.5 and 2.6, specifically within the tutorial interface provided by the examples/save.lsp endpoint. An unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute() code, which is then…

more

persisted on disk and triggered via a subsequent GET request to examples/manage.lsp. This allows remote command execution on the underlying operating system, impacting both Windows and Unix-based deployments.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mako Server
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References