cbcvebase.
CVE-2025-34110
published 2025-07-15

CVE-2025-34110: A directory traversal vulnerability exists in ColoradoFTP Server ≤ 1.3 Build 8 for Windows, allowing unauthenticated attackers to read or write arbitrary files…

PriorityP267critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVALSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.30%
66.9th percentile
A directory traversal vulnerability exists in ColoradoFTP Server ≤ 1.3 Build 8 for Windows, allowing unauthenticated attackers to read or write arbitrary files outside the configured FTP root directory. The flaw is due to insufficient sanitation of user-supplied file paths in the FTP GET and PUT command handlers. Exploitation is possible by submitting traversal sequences during FTP operations, enabling access to system-sensitive files. This issue affects only the Windows version of ColoradoFTP.

Affected

1 ranges
VendorProductVersion rangeFixed in
coloradoftpserver<= 1.3 Build 8

Detection & IOCsextracted from sources · hover to see the quote

commandGET/PUT with traversal sequences starting with '\'
  • Monitor FTP GET and PUT commands containing backslash-based directory traversal sequences (e.g., starting with '\') targeting ColoradoFTP Server ≤ 1.3 Build 8 on Windows.
  • Exploitation does not require authentication — alert on unauthenticated FTP sessions issuing GET or PUT commands with path traversal patterns.
  • The vulnerability is Windows-specific despite the server being Java-based; scope detection to Windows hosts running ColoradoFTP.
  • ·Exploitation is limited to ColoradoFTP Server version 1.3 Build 8 and earlier; verify exact version before applying detections.
  • ·Despite the Java runtime being cross-platform, the traversal vulnerability is only exploitable on the Windows version of ColoradoFTP — Linux/macOS deployments are not affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.