cbcvebase.
CVE-2025-34120
published 2025-07-16

CVE-2025-34120: An unauthenticated file download vulnerability exists in LimeSurvey versions from 2.0+ up to and including 2.06+ Build 151014. The application fails to…

PriorityP264high8.7CVSS 4.0
AVNACLATNPRNUINVCHVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.21%
64.7th percentile
An unauthenticated file download vulnerability exists in LimeSurvey versions from 2.0+ up to and including 2.06+ Build 151014. The application fails to validate serialized input to the admin backup endpoint (`index.php/admin/update/sa/backup`), allowing attackers to specify arbitrary file paths using a crafted `datasupdateinfo` payload. The files are packaged in a ZIP archive and made available for download without authentication. This vulnerability can be exploited to read arbitrary files on the host system, including sensitive OS and configuration files.

Affected

1 ranges
VendorProductVersion rangeFixed in
limesurvey_gmbhlimesurvey2.0+ – 2.06+ Build 151014

Detection & IOCsextracted from sources · hover to see the quote

urlindex.php/admin/update/sa/backup
  • Monitor HTTP requests to `index.php/admin/update/sa/backup` originating from unauthenticated sessions (no valid session cookie/token). Requests containing a `datasupdateinfo` parameter with serialized data referencing arbitrary file paths (e.g., `/etc/passwd`, OS config files) are indicative of exploitation.
  • Look for ZIP archive download responses from the LimeSurvey backup endpoint without a preceding authenticated admin session, as the exploit delivers arbitrary files packaged in a ZIP archive without authentication.
  • A Metasploit auxiliary module (`auxiliary/admin/http/limesurvey_file_download`) exists for this CVE. Detect exploitation attempts by correlating user-agent strings or request patterns consistent with Metasploit against the backup endpoint.
  • ·Affected versions are LimeSurvey 2.0+ up to and including 2.06+ Build 151014. Detection rules should be scoped to these versions to reduce false positives.
  • ·The exploit automatically unzips the downloaded ZIP archive, meaning binary files (not just text) can be exfiltrated. Detection should not be limited to text-based sensitive files.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.