CVE-2025-34097

HIGH

ProcessMaker < 3.5.4 - Authenticated Remote Code Execution via Plugin Upload

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-34097. PoCs published by Metasploit, including Metasploit module exploits/multi/http/processmaker_plugin_upload.

AI-analyzed exploit summary This Metasploit module exploits an authenticated plugin upload vulnerability in ProcessMaker to achieve remote code execution (RCE) by uploading a malicious PHP plugin. The exploit generates a tar file containing the payload, uploads it, and triggers execution during installation.

Description

An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install() method is invoked, resulting in execution of attacker-supplied PHP code on the server with the privileges of the web server user. This vulnerability can be chained with CVE-2022-38577 — a privilege escalation flaw in the user profile page — to achieve full remote code execution from a low-privileged account.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubywebappsphp

https://www.exploit-db.com/exploits/44399

View Code ZIP pw:eip

This Metasploit module exploits an authenticated plugin upload vulnerability in ProcessMaker to achieve remote code execution (RCE) by uploading a malicious PHP plugin. The exploit generates a tar file containing the payload, uploads it, and triggers execution during installation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ProcessMaker versions 1.6-4276, 2.0.23, 3.0 RC 1, 3.2.0, 3.2.1

Auth required

Prerequisites: Valid administrator credentials · Access to the ProcessMaker web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/processmaker_plugin_upload.rb

View Code ZIP pw:eip

This Metasploit module exploits a plugin upload vulnerability in ProcessMaker to achieve remote code execution (RCE) as the web server user. It authenticates with provided credentials, uploads a malicious plugin containing PHP payload, and triggers execution during installation.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ProcessMaker versions 1.6-4276, 2.0.23, 3.0 RC 1, 3.2.0, 3.2.1

Auth required

Prerequisites: Valid administrator credentials · Network access to the ProcessMaker instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Various Sources exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/processmaker_plugin_upload.rb

Vendor Advisory third-party-advisory

https://www.fortiguard.com/encyclopedia/ips/45757

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/44399

Various Sources third-party-advisory

https://process-maker-authenticated-plugin-upload-rce

Third Party Advisory third-party-advisory

https://vulncheck.com/advisories/process-maker-authenticated-plugin-upload-rce

Third Party Advisory product

https://wiki.processmaker.net/3.0/Plugin_Development

Scores

CVSS v4 8.6

EPSS 0.5666

EPSS Percentile 98.2%

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

ProcessMaker Inc./ProcessMaker < 3.5.4

Published Jul 10, 2025

Tracked Since Feb 18, 2026