Cyber Resilience

CVE-2025-34097

HighPublic PoC

Published: 10 July 2025

Published
10 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.5666 98.2th percentile
Risk Priority 51 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34097 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install() method is invoked, resulting in execution of attacker-supplied PHP code on the server with the privileges of the web server user. This vulnerability can be chained with CVE-2022-38577 — a privilege escalation flaw in the user profile page — to achieve full remote code execution from a low-privileged account.

The flaw is tracked as CWE-434 and carries a CVSS 4.0 score of 8.6 reflecting high impact on confidentiality, integrity, and availability when exploited over the network by an authenticated administrator. Public references include a Metasploit module for the plugin upload vector, an Exploit-DB entry, and advisory material from VulnCheck that document the authenticated remote code execution path.

Mitigation guidance centers on upgrading ProcessMaker to version 3.5.4 or later to address the unrestricted archive handling. The current EPSS score of 0.5666 matches its recorded peak with no material increase after disclosure. Public exploit code and tooling are already available, indicating the issue is readily testable in affected deployments.

EU & UK References

Vulnerability details

An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s…

more

install() method is invoked, resulting in execution of attacker-supplied PHP code on the server with the privileges of the web server user. This vulnerability can be chained with CVE-2022-38577 — a privilege escalation flaw in the user profile page — to achieve full remote code execution from a low-privileged account.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ProcessMaker
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References