Vulnerability Description
An OS command injection vulnerability exists in sar2html version 3.2.2 and prior via the plot parameter in index.php. The application fails to sanitize user-supplied input before using it in a system-level context. Remote, unauthenticated attackers can inject shell commands by appending them to the plot parameter (e.g., ?plot=;id) in a crafted GET request. The output of the command is displayed in the application's interface after interacting with the host selection UI. Successful exploitation leads to arbitrary command execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.
Related Weaknesses (CWE)
References
- https://github.com/cemtan/sar2html
- https://vulncheck.com/advisories/sar2html-command-injection
- https://www.exploit-db.com/exploits/47204
- https://www.fortiguard.com/encyclopedia/ips/48624
FAQ
What is CVE-2025-34030?
CVE-2025-34030 is a documented vulnerability. An OS command injection vulnerability exists in sar2html version 3.2.2 and prior via the plot parameter in index.php. The application fails to sanitize user-supplied input before using it in a system-...
How severe is CVE-2025-34030?
CVSS scoring is not yet available for CVE-2025-34030. Check NVD for updates.
Is there a patch for CVE-2025-34030?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.