What is the CVSS score of CVE-2025-34030?

CVE-2025-34030 has a CVSS 4.0 base score of 10.0 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. EPSS exploitation probability: 2.0%.

Which versions of PHP are affected by CVE-2025-34030?

A critical remote code execution vulnerability (CVE-2025-34030) affects sar2html versions 3.2.2 and earlier, allowing unauthenticated attackers to execute arbitrary commands on affected servers.

Is there a public PoC exploit available for CVE-2025-34030?

Yes, a public proof-of-concept exploit is available for CVE-2025-34030. Prioritise patching immediately. EPSS: 2.0%.

How to fix or mitigate CVE-2025-34030?

Within 24 hours: Identify all instances of sar2html in your environment and assess internet accessibility; immediately isolate or disable any public-facing instances. Within 7 days: Implement WAF rules blocking requests with semicolons or pipe characters in the 'plot' parameter; deploy network segmentation to restrict sar2html access to authorized internal users only. Within 30 days: Replace sar2html with a patched alternative or migrate to a supported monitoring solution; conduct forensic analysis of logs from February 4 onwards for evidence of exploitation.

PHP CVE-2025-34030

EUVD-2025-18774 CRITICAL

OS Command Injection (CWE-78)

2025-06-20 disclosure@vulncheck.com

PHP Command Injection

10.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

10.0 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 00:19 euvd

EUVD-2025-18774

Analysis Generated

Mar 15, 2026 - 00:19 vuln.today

PoC Detected

Nov 20, 2025 - 22:15 vuln.today

Public exploit code

CVE Published

Jun 20, 2025 - 19:15 nvd

CRITICAL 10.0

DescriptionCVE.org

An OS command injection vulnerability exists in sar2html version 3.2.2 and prior via the plot parameter in index.php. The application fails to sanitize user-supplied input before using it in a system-level context. Remote, unauthenticated attackers can inject shell commands by appending them to the plot parameter (e.g., ?plot=;id) in a crafted GET request. The output of the command is displayed in the application's interface after interacting with the host selection UI. Successful exploitation leads to arbitrary command execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.

AnalysisAI

CVE-2025-34030 is a critical OS command injection vulnerability in sar2html versions 3.2.2 and earlier that allows unauthenticated remote attackers to execute arbitrary shell commands through unsanitized input in the 'plot' parameter of index.php. The vulnerability has a perfect CVSS score of 10.0 and requires no authentication, user interaction, or special privileges to exploit. Active exploitation was observed by the Shadowserver Foundation as of February 4, 2025, indicating this is not a theoretical threat.

Technical ContextAI

sar2html is a web application that visualizes system activity reports (SAR data) generated by the Linux sysstat package. The vulnerability exists in the index.php file's handling of the 'plot' GET parameter, which is passed unsanitized into a system-level command execution context (likely via PHP functions such as shell_exec(), system(), passthru(), or proc_open()). The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), a classic command injection flaw where user input is concatenated into OS command strings without proper escaping or parameterization. The attacker can inject shell metacharacters (semicolons, pipes, backticks, command substitution syntax) to chain arbitrary commands. The vulnerability is reachable via HTTP GET requests with no prior authentication, making it maximally accessible. Affected CPE would be: cpe:2.3:a:sar2html:sar2html:*:*:*:*:*:*:*:* with versions up to and including 3.2.2.

RemediationAI

Immediate actions: (1) If a patched version (likely 3.2.3 or later) is available from the sar2html project, upgrade immediately—this is the definitive fix. (2) If no patch is available, implement network-level mitigations: restrict HTTP access to sar2html to trusted IPs only via firewall rules or web server configuration (e.g., Apache/Nginx allow lists). (3) Disable or remove sar2html if not actively used. (4) As a temporary mitigation pending patching, implement strict input validation on the 'plot' parameter at the web server or WAF level: reject requests containing shell metacharacters (;|&`$()[]{}><\") or use a positive whitelist allowing only alphanumeric characters and safe delimiters. (5) Deploy Web Application Firewall (WAF) rules to detect command injection patterns in query parameters. (6) Monitor application and system logs for suspicious plot parameter values or unexpected command execution. (7) Consider running sar2html in a containerized/sandboxed environment with minimal privileges to limit blast radius. Check the official sar2html GitHub repository or SourceForge project page for official patch releases and vendor advisories.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-34030 vulnerability details – vuln.today

Back

PHP CVE-2025-34030

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code