CVE-2025-34030 PoC — sar2html OS Command Injection

Source

https://github.com/HackerTyperAbuser/CVE-2025-34030-PoC

Associated Vulnerability

Title:sar2html OS Command Injection (CVE-2025-34030)
Description:An OS command injection vulnerability exists in sar2html version 3.2.2 and prior via the plot parameter in index.php. The application fails to sanitize user-supplied input before using it in a system-level context. Remote, unauthenticated attackers can inject shell commands by appending them to the plot parameter (e.g., ?plot=;id) in a crafted GET request. The output of the command is displayed in the application's interface after interacting with the host selection UI. Successful exploitation leads to arbitrary command execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.

Description

PoC for CVE-2025-34030 sar2html 'plot' parameter RCE

Readme

# CVE-2025-34030 - sar2html 'plot' parameter RCE

CVSS: <span style="color:rgb(192, 0, 0)">10.0 Critical</span><br>
Vulnerability: OS Command Injection<br>
Programming Language: PHP<br>
Exploit Code: Python <br>

References: 
- https://nvd.nist.gov/vuln/detail/CVE-2025-34030
- https://www.vulncheck.com/advisories/sar2html-command-injection

## Description
sar2html version <= 3.2.1 contains an unauthenticated OS Command Injection vulnerability via the plot parameter in index.php (`index.php?plot=; <command>`) the output of the vulnerability is displayed in the application's interface after execution, "select # host" contains command output.
<br>

## Proof of Concept
![Demo Video](img/CVE-2025-34030.gif)

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!