CVE-2025-34095

UNKNOWN 0.0

Mako Server v2.5 and v2.6 OS Command Injection via examples/save.lsp

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

An OS command injection vulnerability exists in Mako Server versions 2.5 and 2.6, specifically within the tutorial interface provided by the examples/save.lsp endpoint. An unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute() code, which is then persisted on disk and triggered via a subsequent GET request to examples/manage.lsp. This allows remote command execution on the underlying operating system, impacting both Windows and Unix-based deployments.

CWE	CWE-78
Vendor	real time logic
Product	mako server
Published	Jul 10, 2025
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for real time logic mako server

Be the first to know when new unknown vulnerabilities affecting real time logic mako server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Real Time Logic / Mako Server

2.5 ≤ 2.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/makoserver_cmd_exec.rb exploit-db.com: https://www.exploit-db.com/exploits/43132 vulncheck: https://vulncheck/advisories/mako-server-rce

Credits

John Page (hyp3rlinx) of Beyond Security SecuriTeam Secure Disclosure