CVE-2025-34102
Published: 10 July 2025
Summary
CVE-2025-34102 is a critical-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A remote code execution vulnerability affects the discontinued PHP version of CryptoLog through chained SQL injection and command injection flaws. The issues reside in login.php, where the user POST parameter permits authentication bypass, and in logshares_ajax.php, where the lsid POST parameter accepts command injection via $(...) syntax. The CVSS 4.0 score is 9.3, reflecting network-accessible unauthenticated exploitation that yields high impact on confidentiality, integrity, and availability under the web-server user context. The ASP.NET version released after 2009 is not affected by this exploitation path.
An unauthenticated remote attacker can chain the flaws to obtain a shell: first submitting crafted SQL to bypass login, then injecting operating-system commands through the logshares endpoint. The resulting code execution occurs without authentication or user interaction, enabling full compromise of the web application context.
Public references document the vulnerability in detail, including a Metasploit module and an Exploit-DB entry, while noting that the product has been discontinued since 2009. The current EPSS score of 0.6902 matches its recorded peak, indicating sustained exploitation interest after disclosure. No official patches are referenced for the legacy PHP codebase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21029
Vulnerability details
A remote code execution vulnerability exists in CryptoLog (PHP version, discontinued since 2009) due to a chained exploitation of SQL injection and command injection vulnerabilities. An unauthenticated attacker can gain shell access as the web server user by first exploiting…
more
a SQL injection flaw in login.php to bypass authentication, followed by command injection in logshares_ajax.php to execute arbitrary operating system commands. The login bypass is achieved by submitting crafted SQL via the user POST parameter. Once authenticated, the attacker can abuse the lsid POST parameter in the logshares_ajax.php endpoint to inject and execute a command using $(...) syntax, resulting in code execution under the web context. This exploitation path does not exist in the ASP.NET version of CryptoLog released since 2009.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Directly implements checks on information inputs to reject invalid data before processing.
Requires established identification and authentication to unlock, mitigating missing authentication for continued system access.
Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.
Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.
Guarantees critical functions are protected by mandatory invocation of the access control mechanism.
Auditing sessions makes it possible to detect access to critical functions without required authentication.
The assessment process confirms authentication is present and effective for critical functions, preventing exploitation from missing authentication.
Certification assesses that critical functions have required authentication controls in place.