What is the CVSS score of CVE-2025-34095?

CVE-2025-34095 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. EPSS exploitation probability: 45.4%.

Which versions of Windows are affected by CVE-2025-34095?

A critical remote code execution vulnerability in Mako Server versions 2.5 and 2.6 allows unauthenticated attackers to execute arbitrary commands on affected systems without requiring valid…

Is there a public PoC exploit available for CVE-2025-34095?

Yes, a public proof-of-concept exploit is available for CVE-2025-34095. Prioritise patching immediately. EPSS: 45.4%.

How to fix or mitigate CVE-2025-34095?

Within 24 hours: Identify all Mako Server instances running versions 2.5 or 2.6 across your infrastructure and isolate them from external network access immediately; disable or restrict access to the examples/save.lsp and examples/manage.lsp endpoints via firewall or WAF rules. Within 7 days: Conduct forensic analysis of affected systems for signs of compromise (check logs, file integrity, and process execution history); begin migration planning to patched versions or alternative solutions once patches are released by the vendor. Within 30 days: Complete deployment of patched versions or decommission affected Mako Server instances; validate remediation and restore normal network access only after confirming patched versions are in place.

Windows CVE-2025-34095

EUVD-2025-21031 CRITICAL

OS Command Injection (CWE-78)

2025-07-10 disclosure@vulncheck.com

Windows Command Injection Microsoft

9.3

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Lifecycle Timeline

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2025-21031

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

PoC Detected

Jul 15, 2025 - 13:14 vuln.today

Public exploit code

CVE Published

Jul 10, 2025 - 20:15 nvd

CRITICAL 9.3

DescriptionNVD

An OS command injection vulnerability exists in Mako Server versions 2.5 and 2.6, specifically within the tutorial interface provided by the examples/save.lsp endpoint. An unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute() code, which is then persisted on disk and triggered via a subsequent GET request to examples/manage.lsp. This allows remote command execution on the underlying operating system, impacting both Windows and Unix-based deployments.

AnalysisAI

Mako Server versions 2.5 and 2.6 contain an unauthenticated OS command injection via the tutorial interface at examples/save.lsp. Attackers can send crafted PUT requests with arbitrary Lua os.execute() code that is persisted on disk and executed, achieving remote code execution on the embedded web server.

Technical ContextAI

The examples/save.lsp endpoint accepts PUT requests that write Lua code to disk. The endpoint is unauthenticated and does not validate the content. An attacker can inject Lua code containing os.execute() calls that execute system commands. Because the code is persisted, the backdoor survives server restarts.

RemediationAI

Remove the examples/ directory from production Mako deployments. Disable the save.lsp endpoint. Restrict Mako Server access to trusted networks. Audit saved Lua files for injected code.

More from same product – last 7 days

CVE-2026-40412 CRITICAL Monitor

10.0 May 22

Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous fil

CVE-2026-41104 CRITICAL Monitor

10.0 May 22

Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft mal

CVE-2026-23652 CRITICAL Monitor

10.0 May 22

Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-

CVE-2026-47280 CRITICAL Monitor

10.0 May 22

Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authenti

CVE-2026-42901 CRITICAL Monitor

10.0 May 22

Privilege escalation in Microsoft Entra ID enables remote unauthenticated attackers to bypass origin validation and gain

CVE-2025-34095 vulnerability details – vuln.today

Back

Windows CVE-2025-34095

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code