Security Advisory

CVE-2025-34030

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2025-06-20 18:40:04
Last updated 2026-04-07 14:09:06
Assigner VulnCheck
State PUBLISHED

Description

An OS command injection vulnerability exists in sar2html version 3.2.2 and prior via the plot parameter in index.php. The application fails to sanitize user-supplied input before using it in a system-level context. Remote, unauthenticated attackers can inject shell commands by appending them to the plot parameter (e.g., ?plot=;id) in a crafted GET request. The output of the command is displayed in the applications interface after interacting with the host selection UI. Successful exploitation leads to arbitrary command execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.