CVE-2025-34030

CRITICAL EXPLOITED NUCLEI

sar2html <3.2.2 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-34030 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Cemal Cihad ÇİFTÇİ, HackerTyperAbuser. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a command injection vulnerability in sar2html 3.2.1 via the 'plot' parameter in index.php. The attacker can execute arbitrary commands by appending them to the URL, with output displayed after selecting a host.

Description

An OS command injection vulnerability exists in sar2html version 3.2.2 and prior via the plot parameter in index.php. The application fails to sanitize user-supplied input before using it in a system-level context. Remote, unauthenticated attackers can inject shell commands by appending them to the plot parameter (e.g., ?plot=;id) in a crafted GET request. The output of the command is displayed in the application's interface after interacting with the host selection UI. Successful exploitation leads to arbitrary command execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.

Exploits (2)

exploitdb WORKING POC
by Cemal Cihad ÇİFTÇİ · textwebappsphp
https://www.exploit-db.com/exploits/47204

This exploit demonstrates a command injection vulnerability in sar2html 3.2.1 via the 'plot' parameter in index.php. The attacker can execute arbitrary commands by appending them to the URL, with output displayed after selecting a host.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: sar2html 3.2.1
No auth needed
Prerequisites: Network access to the target web application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by HackerTyperAbuser · remote
https://github.com/HackerTyperAbuser/CVE-2025-34030-PoC

This repository contains a Python-based exploit for CVE-2025-34030, an unauthenticated OS command injection vulnerability in sar2html <= 3.2.1 via the 'plot' parameter. The exploit sends a reverse shell payload to the target and verifies vulnerability by checking for 'www-data' in the response.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: sar2html <= 3.2.1
No auth needed
Prerequisites: Network access to the target · Attacker-controlled listener for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

sar2html <=3.2.2 Plot Parameter - Remote Code Execution
CRITICALby gy741,TATANKA97

References (4)

Core 4
Core References
Vendor Advisory third-party-advisory
https://www.fortiguard.com/encyclopedia/ips/48624
Third Party Advisory third-party-advisory
https://vulncheck.com/advisories/sar2html-command-injection
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/47204

Scores

CVSS v4 10.0
EPSS 0.1491
EPSS Percentile 94.7%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2025-06-20
CWE
CWE-78
Status published
Products (1)
sar2html/sar2html < 3.2.2
Published Jun 20, 2025
Tracked Since Feb 18, 2026