How to fix EUVD-2025-21031?

Within 24 hours: Identify all Mako Server instances running versions 2.5 or 2.6 across your infrastructure and isolate them from external network access immediately; disable or restrict access to the examples/save.lsp and examples/manage.lsp endpoints via firewall or WAF rules. Within 7 days: Conduct forensic analysis of affected systems for signs of compromise (check logs, file integrity, and process execution history); begin migration planning to patched versions or alternative solutions once patches are released by the vendor. Within 30 days: Complete deployment of patched versions or decommission affected Mako Server instances; validate remediation and restore normal network access only after confirming patched versions are in place.

Is Command Injection affected by EUVD-2025-21031?

A critical remote code execution vulnerability in Mako Server versions 2.5 and 2.6 allows unauthenticated attackers to execute arbitrary commands on affected systems without requiring valid credentials.

EUVD-2025-21031

| CVE-2025-34095 CRITICAL

2025-07-10 [email protected]

9.3

CVSS 4.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Lifecycle Timeline

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2025-21031

PoC Detected

Jul 15, 2025 - 13:14 vuln.today

Public exploit code

CVE Published

Jul 10, 2025 - 20:15 nvd

CRITICAL 9.3

Description

An OS command injection vulnerability exists in Mako Server versions 2.5 and 2.6, specifically within the tutorial interface provided by the examples/save.lsp endpoint. An unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute() code, which is then persisted on disk and triggered via a subsequent GET request to examples/manage.lsp. This allows remote command execution on the underlying operating system, impacting both Windows and Unix-based deployments.

Analysis

Mako Server versions 2.5 and 2.6 contain an unauthenticated OS command injection via the tutorial interface at examples/save.lsp. Attackers can send crafted PUT requests with arbitrary Lua os.execute() code that is persisted on disk and executed, achieving remote code execution on the embedded web server.

Technical Context

The examples/save.lsp endpoint accepts PUT requests that write Lua code to disk. The endpoint is unauthenticated and does not validate the content. An attacker can inject Lua code containing os.execute() calls that execute system commands. Because the code is persisted, the backdoor survives server restarts.

Affected Products

['Mako Server 2.5', 'Mako Server 2.6']

Remediation

Remove the examples/ directory from production Mako deployments. Disable the save.lsp endpoint. Restrict Mako Server access to trusted networks. Audit saved Lua files for injected code.

Priority Score

112

Low Medium High Critical

KEV: 0

EPSS: +45.4

CVSS: +46

POC: +20

EUVD-2025-21031 vulnerability details – vuln.today

Back

EUVD-2025-21031

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-21031

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code