← back
CVE-2025-34095

Mako Server v2.5 and v2.6 OS Command Injection via examples/save.lsp

CVSS 9.3 CRITICALEPSS 4.4%CWE-78
An OS command injection vulnerability exists in Mako Server versions 2.5 and 2.6, specifically within the tutorial interface provided by the examples/save.lsp endpoint. An unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute() code, which is then persisted on disk and triggered via a subsequent GET request to examples/manage.lsp. This allows remote command execution on the underlying operating system, impacting both Windows and Unix-based deployments.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
Real Time Logic · Mako Server
public PoCs found2
cve_referenceraw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/makoserver_cmd_exec.rbunverifiedcve_referencewww.exploit-db.com/exploits/43132unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/makoserver_cmd_exec.rbhttps://vulncheck/advisories/mako-server-rcehttps://www.exploit-db.com/exploits/43132