What is the CVSS score of CVE-2025-34097?

CVE-2025-34097 has a CVSS 4.0 base score of 8.6 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. EPSS exploitation probability: 28.3%.

Which versions of PHP are affected by CVE-2025-34097?

ProcessMaker BPM versions before 3.5.4 contain a critical file upload vulnerability that allows administrative users to execute arbitrary code on workflow automation servers through malicious plugin…. A patch is available.

Is there a public PoC exploit available for CVE-2025-34097?

Yes, a public proof-of-concept exploit is available for CVE-2025-34097. Prioritise patching immediately. EPSS: 28.3%.

How to fix or mitigate CVE-2025-34097?

Within 24 hours: Identify all ProcessMaker BPM instances and document current versions. Within 7 days: Upgrade all instances to version 3.5.4 or later per ProcessMaker vendor advisory. Within 30 days: Review plugin installation logs and audit administrative accounts for unauthorized plugin installations or suspicious activity.

PHP CVE-2025-34097

EUVD-2025-21034 HIGH

Unrestricted Upload of File with Dangerous Type (CWE-434)

2025-07-10 disclosure@vulncheck.com

PHP Privilege Escalation RCE File Upload

8.6

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:27 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

3.5.4

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2025-21034

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

PoC Detected

Jul 15, 2025 - 13:14 vuln.today

Public exploit code

CVE Published

Jul 10, 2025 - 20:15 nvd

HIGH 8.6

DescriptionNVD

An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install() method is invoked, resulting in execution of attacker-supplied PHP code on the server with the privileges of the web server user. This vulnerability can be chained with CVE-2022-38577 - a privilege escalation flaw in the user profile page - to achieve full remote code execution from a low-privileged account.

AnalysisAI

ProcessMaker BPM platform versions prior to 3.5.4 contain an unrestricted file upload vulnerability in the plugin installation mechanism. An admin can upload a malicious .tar plugin containing arbitrary PHP code that executes during the plugin's install() method, achieving remote code execution on the workflow automation server.

Technical ContextAI

ProcessMaker's plugin installation accepts .tar archives without validating contents. A malicious plugin with arbitrary PHP code in its install() method executes during installation. Admin authentication is required but ProcessMaker often uses default credentials in enterprise deployments.

RemediationAI

Update to ProcessMaker 3.5.4 or later. Restrict plugin installation to verified packages. Change default admin credentials. Monitor the plugin directory for unauthorized files.

CVE-2025-34097 vulnerability details – vuln.today

Back