How to fix CVE-2025-34097?

Within 24 hours: Identify all ProcessMaker instances in your environment and document their versions; restrict admin plugin upload permissions to essential personnel only and audit recent plugin installations for suspicious activity. Within 7 days: Implement compensating controls including WAF rules blocking plugin upload endpoints and network segmentation limiting ProcessMaker server access; conduct forensic analysis for indicators of compromise. Within 30 days: Upgrade to ProcessMaker 3.5.4 or later once available; consider migration timeline if patch delays persist; implement privileged access management (PAM) for administrative accounts.

Is PHP affected by CVE-2025-34097?

ProcessMaker installations are vulnerable to remote code execution through malicious plugin uploads, allowing attackers with admin access to execute arbitrary commands on production servers.

CVE-2025-34097

EUVD-2025-21034 HIGH

2025-07-10 [email protected]

8.6

CVSS 4.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Lifecycle Timeline

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2025-21034

PoC Detected

Jul 15, 2025 - 13:14 vuln.today

Public exploit code

CVE Published

Jul 10, 2025 - 20:15 nvd

HIGH 8.6

Description

An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install() method is invoked, resulting in execution of attacker-supplied PHP code on the server with the privileges of the web server user. This vulnerability can be chained with CVE-2022-38577 - a privilege escalation flaw in the user profile page - to achieve full remote code execution from a low-privileged account.

Analysis

ProcessMaker BPM platform versions prior to 3.5.4 contain an unrestricted file upload vulnerability in the plugin installation mechanism. An admin can upload a malicious .tar plugin containing arbitrary PHP code that executes during the plugin's install() method, achieving remote code execution on the workflow automation server.

Technical Context

ProcessMaker's plugin installation accepts .tar archives without validating contents. A malicious plugin with arbitrary PHP code in its install() method executes during installation. Admin authentication is required but ProcessMaker often uses default credentials in enterprise deployments.

Affected Products

['ProcessMaker < 3.5.4']

Remediation

Update to ProcessMaker 3.5.4 or later. Restrict plugin installation to verified packages. Change default admin credentials. Monitor the plugin directory for unauthorized files.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +28.3

CVSS: +43

POC: +20

CVE-2025-34097 vulnerability details – vuln.today

Back

CVE-2025-34097

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-34097

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code