How to fix CVE-2025-34030?

Within 24 hours: Identify all instances of sar2html in your environment and assess internet accessibility; immediately isolate or disable any public-facing instances. Within 7 days: Implement WAF rules blocking requests with semicolons or pipe characters in the 'plot' parameter; deploy network segmentation to restrict sar2html access to authorized internal users only. Within 30 days: Replace sar2html with a patched alternative or migrate to a supported monitoring solution; conduct forensic analysis of logs from February 4 onwards for evidence of exploitation.

Is PHP affected by CVE-2025-34030?

A critical remote code execution vulnerability (CVE-2025-34030) affects sar2html versions 3.2.2 and earlier, allowing unauthenticated attackers to execute arbitrary commands on affected servers.

CVE-2025-34030

EUVD-2025-18774 CRITICAL

2025-06-20 [email protected]

10.0

CVSS 4.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 00:19 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 00:19 euvd

EUVD-2025-18774

PoC Detected

Nov 20, 2025 - 22:15 vuln.today

Public exploit code

CVE Published

Jun 20, 2025 - 19:15 nvd

CRITICAL 10.0

Description

An OS command injection vulnerability exists in sar2html version 3.2.2 and prior via the plot parameter in index.php. The application fails to sanitize user-supplied input before using it in a system-level context. Remote, unauthenticated attackers can inject shell commands by appending them to the plot parameter (e.g., ?plot=;id) in a crafted GET request. The output of the command is displayed in the application's interface after interacting with the host selection UI. Successful exploitation leads to arbitrary command execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.

Analysis

CVE-2025-34030 is a critical OS command injection vulnerability in sar2html versions 3.2.2 and earlier that allows unauthenticated remote attackers to execute arbitrary shell commands through unsanitized input in the 'plot' parameter of index.php. The vulnerability has a perfect CVSS score of 10.0 and requires no authentication, user interaction, or special privileges to exploit. Active exploitation was observed by the Shadowserver Foundation as of February 4, 2025, indicating this is not a theoretical threat.

Technical Context

sar2html is a web application that visualizes system activity reports (SAR data) generated by the Linux sysstat package. The vulnerability exists in the index.php file's handling of the 'plot' GET parameter, which is passed unsanitized into a system-level command execution context (likely via PHP functions such as shell_exec(), system(), passthru(), or proc_open()). The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), a classic command injection flaw where user input is concatenated into OS command strings without proper escaping or parameterization. The attacker can inject shell metacharacters (semicolons, pipes, backticks, command substitution syntax) to chain arbitrary commands. The vulnerability is reachable via HTTP GET requests with no prior authentication, making it maximally accessible. Affected CPE would be: cpe:2.3:a:sar2html:sar2html:*:*:*:*:*:*:*:* with versions up to and including 3.2.2.

Affected Products

Product: sar2html; Affected Versions: 3.2.2 and all prior versions; Component: index.php (plot parameter); Attack Vector: HTTP GET parameter; No version information indicates a fix is currently available in official releases as of the CVE publication date. Organizations should check the official sar2html project repository (typically hosted on GitHub or SourceForge) for any patches released after CVE publication. Vendor advisory links were not provided in the description; security teams should contact the sar2html maintainers directly or monitor their official channels for patch announcements. Any deployment of sar2html accessible via network interfaces is at risk.

Remediation

Immediate actions: (1) If a patched version (likely 3.2.3 or later) is available from the sar2html project, upgrade immediately—this is the definitive fix. (2) If no patch is available, implement network-level mitigations: restrict HTTP access to sar2html to trusted IPs only via firewall rules or web server configuration (e.g., Apache/Nginx allow lists). (3) Disable or remove sar2html if not actively used. (4) As a temporary mitigation pending patching, implement strict input validation on the 'plot' parameter at the web server or WAF level: reject requests containing shell metacharacters (;|&`$()[]{}><\") or use a positive whitelist allowing only alphanumeric characters and safe delimiters. (5) Deploy Web Application Firewall (WAF) rules to detect command injection patterns in query parameters. (6) Monitor application and system logs for suspicious plot parameter values or unexpected command execution. (7) Consider running sar2html in a containerized/sandboxed environment with minimal privileges to limit blast radius. Check the official sar2html GitHub repository or SourceForge project page for official patch releases and vendor advisories.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +2.0

CVSS: +50

POC: +20

CVE-2025-34030 vulnerability details – vuln.today

Back

CVE-2025-34030

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-34030

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code