CVE-2025-34113 is an authenticated command injection vulnerability affecting multiple versions of the Tiki Wiki CMS Groupware, specifically versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14. The flaw exists in the 'tiki-calendar.php' script, particularly in the handling of the 'viewmode' GET parameter when the calendar module is enabled. An authenticated user with permission to access the calendar can manipulate this parameter to inject arbitrary PHP code. This occurs due to missing authentication checks on critical functions (CWE-306), improper input validation (CWE-20), and unsafe command execution (CWE-78). The vulnerability enables remote code execution (RCE) in the context of the web server user, potentially allowing attackers to execute arbitrary commands, escalate privileges, or pivot within the affected environment. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no additional privileges required beyond authentication (PR:L), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (VC:H, VI:H, VA:H). Although no known exploits are currently in the wild, the vulnerability's characteristics make it a critical risk for organizations relying on Tiki Wiki CMS for collaboration and content management. The lack of available patches at the time of disclosure necessitates immediate attention to alternative mitigations.

The impact of CVE-2025-34113 is significant for organizations using affected versions of Tiki Wiki CMS Groupware. Successful exploitation results in remote code execution with the privileges of the web server user, enabling attackers to execute arbitrary PHP code. This can lead to full system compromise, data theft, unauthorized access to sensitive information, defacement, or use of the compromised server as a pivot point for further attacks within the network. The vulnerability affects confidentiality, integrity, and availability of the affected systems. Since the vulnerability requires only authenticated access with calendar permissions, insider threats or compromised user credentials can be leveraged to exploit it. The widespread use of Tiki Wiki CMS in various sectors including education, government, and enterprises increases the risk of targeted attacks. Without timely mitigation, organizations face risks of operational disruption, reputational damage, and regulatory non-compliance due to data breaches.

To mitigate CVE-2025-34113, organizations should immediately restrict access to the calendar module to only trusted users and review user permissions to minimize the number of users with calendar access. Network segmentation and web application firewalls (WAFs) can be configured to detect and block suspicious requests targeting the 'viewmode' parameter. Monitoring logs for unusual parameter values or unexpected PHP execution can help detect exploitation attempts. Until official patches are released, consider disabling the calendar module if feasible to eliminate the attack surface. Implement strict input validation and sanitization on all user-supplied parameters, especially those used in command execution contexts. Employ multi-factor authentication (MFA) to reduce the risk of credential compromise. Regularly update and audit user privileges and credentials. Finally, maintain an incident response plan to quickly contain and remediate any exploitation.