CVE-2025-34097 is an unrestricted file upload vulnerability classified under CWE-434, affecting ProcessMaker versions prior to 3.5.4. The vulnerability arises from improper validation and handling of uploaded plugin archives, specifically .tar files. An attacker possessing administrative privileges can upload a malicious plugin archive containing arbitrary PHP code. Upon installation, the plugin’s install() method is invoked, which executes the embedded PHP code with the privileges of the web server user. This can lead to remote code execution (RCE) on the server, compromising the system's confidentiality, integrity, and availability. The vulnerability is particularly dangerous because it can be chained with CVE-2022-38577, a privilege escalation vulnerability in the user profile page, allowing attackers starting from a low-privileged account to escalate privileges and execute arbitrary code remotely. The CVSS 4.0 base score is 8.6, indicating a high severity with network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. No patches are linked yet, and no known exploits are reported in the wild, but the potential for exploitation is significant given the ease of exploitation and impact. The vulnerability affects all versions prior to 3.5.4, making it critical for organizations using ProcessMaker to update promptly.

For European organizations, this vulnerability poses a significant risk, especially those relying on ProcessMaker for business process management and workflow automation. Successful exploitation can lead to full system compromise, data theft, unauthorized access, and disruption of critical business processes. The ability to execute arbitrary PHP code on the server can allow attackers to install backdoors, pivot within the network, and exfiltrate sensitive information. Given that ProcessMaker is used in various sectors including government, finance, healthcare, and manufacturing, the impact could extend to critical infrastructure and services. The chaining with a privilege escalation vulnerability increases the attack surface, enabling attackers with minimal privileges to gain full control. This elevates the threat level for organizations that may not have strict administrative access controls. Additionally, the lack of known exploits currently does not reduce the urgency, as public disclosure often leads to rapid development of exploit code. The disruption or compromise of workflow management systems can have cascading effects on operational continuity and regulatory compliance within the EU.

European organizations should immediately upgrade ProcessMaker installations to version 3.5.4 or later once available. Until patches are applied, restrict administrative privileges strictly to trusted personnel and implement strong authentication mechanisms such as multi-factor authentication (MFA) for admin accounts. Monitor and audit plugin uploads and installations closely to detect any unauthorized or suspicious activity. Employ web application firewalls (WAFs) with custom rules to detect and block malicious file uploads or abnormal plugin installation behaviors. Conduct regular security assessments and penetration testing focused on privilege escalation and file upload vectors. Segregate the ProcessMaker server from critical network segments to limit lateral movement in case of compromise. Additionally, review and harden PHP configurations to restrict execution of unauthorized scripts and disable unnecessary PHP functions. Maintain comprehensive logging and alerting to enable rapid incident response. Finally, educate administrators on the risks of uploading untrusted plugins and enforce strict change management policies.