cbcvebase.
CVE-2025-34508
published 2025-06-17

CVE-2025-34508: A path traversal vulnerability exists in the file dropoff functionality of ZendTo versions 6.15-7 and prior. This could allow a remote, authenticated attacker…

PriorityP353medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
EPSS
62.06%
99.1th percentile
A path traversal vulnerability exists in the file dropoff functionality of ZendTo versions 6.15-7 and prior. This could allow a remote, authenticated attacker to retrieve the files of other ZendTo users, retrieve files on the host system, or cause a denial of service.

Affected

1 ranges
VendorProductVersion rangeFixed in
zendtozendto< 6.15-86.15-8

Detection & IOCsextracted from sources · hover to see the quote

url/dropoff
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ZendTo Dropoff Path Traversal (CVE-2025-34508)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dropoff"; fast_pattern; startswith; http.request_body; content:"|22|tmp_name|22 3a|"; content:"|2e 2e 2f|"; distance:0; reference:url,horizon3.ai/attack-research/attack-blogs/cve-2025-34508-another-file-sharing-application-another-path-traversal/; reference:cve,2025-34508; classtype:web-application-attack; sid:2063026; rev:1; metadata:attack_target Server, created_at 2025_06_17, cve CVE_2025_34508, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_06_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|22|tmp_name|22 3a| followed by |2e 2e 2f| ("tmp_name": ... ../)
  • Look for HTTP POST requests to the /dropoff URI endpoint — this is the attack surface for the path traversal.
  • Inspect the HTTP request body for the JSON/form field name 'tmp_name' (hex: 22 74 6d 70 5f 6e 61 6d 65 22 3a) followed immediately by a path traversal sequence '../' (hex: 2e 2e 2f) — this combination indicates active exploitation.
  • The vulnerability is in the file dropoff functionality; monitor for authenticated users supplying traversal sequences in the tmp_name parameter to access files outside the intended directory.
  • Classify detections under MITRE ATT&CK T1190 (Exploit Public-Facing Application) / TA0001 (Initial Access); deploy detection at both perimeter and internal network boundaries.
  • ·The vulnerability only affects authenticated attackers — unauthenticated POST requests to /dropoff should not trigger the same risk profile, though the Snort rule does not filter on authentication state.
  • ·Affected versions are ZendTo 6.15-7 and prior; ensure version scoping is applied when triaging alerts to reduce false positives on patched instances.

CVSS provenance

nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.