CVE-2025-34508
published 2025-06-17CVE-2025-34508: A path traversal vulnerability exists in the file dropoff functionality of ZendTo versions 6.15-7 and prior. This could allow a remote, authenticated attacker…
PriorityP353medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
EPSS
62.06%
99.1th percentile
A path traversal vulnerability exists in the file dropoff functionality
of ZendTo versions 6.15-7 and prior. This could allow a remote, authenticated attacker to retrieve the files of other ZendTo users, retrieve files on the host
system, or cause a denial of service.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zendto | zendto | < 6.15-8 | 6.15-8 |
Detection & IOCsextracted from sources · hover to see the quote
url/dropoff
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ZendTo Dropoff Path Traversal (CVE-2025-34508)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dropoff"; fast_pattern; startswith; http.request_body; content:"|22|tmp_name|22 3a|"; content:"|2e 2e 2f|"; distance:0; reference:url,horizon3.ai/attack-research/attack-blogs/cve-2025-34508-another-file-sharing-application-another-path-traversal/; reference:cve,2025-34508; classtype:web-application-attack; sid:2063026; rev:1; metadata:attack_target Server, created_at 2025_06_17, cve CVE_2025_34508, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_06_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|22|tmp_name|22 3a| followed by |2e 2e 2f| ("tmp_name": ... ../)- →Look for HTTP POST requests to the /dropoff URI endpoint — this is the attack surface for the path traversal.
- →Inspect the HTTP request body for the JSON/form field name 'tmp_name' (hex: 22 74 6d 70 5f 6e 61 6d 65 22 3a) followed immediately by a path traversal sequence '../' (hex: 2e 2e 2f) — this combination indicates active exploitation.
- →The vulnerability is in the file dropoff functionality; monitor for authenticated users supplying traversal sequences in the tmp_name parameter to access files outside the intended directory.
- →Classify detections under MITRE ATT&CK T1190 (Exploit Public-Facing Application) / TA0001 (Initial Access); deploy detection at both perimeter and internal network boundaries.
- ·The vulnerability only affects authenticated attackers — unauthenticated POST requests to /dropoff should not trigger the same risk profile, though the Snort rule does not filter on authentication state.
- ·Affected versions are ZendTo 6.15-7 and prior; ensure version scoping is applied when triaging alerts to reduce false positives on patched instances.
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS ZendTo Dropoff Path Traversal (CVE-2025-34508)
suricata·2025-06-17·CVSS 5.3
CVE-2025-34508 [MEDIUM] ET WEB_SPECIFIC_APPS ZendTo Dropoff Path Traversal (CVE-2025-34508)
ET WEB_SPECIFIC_APPS ZendTo Dropoff Path Traversal (CVE-2025-34508)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ZendTo Dropoff Path Traversal (CVE-2025-34508)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dropoff"; fast_pattern; startswith; http.request_body; content:"|22|tmp_name|22 3a|"; content:"|2e 2e 2f|"; distance:0; reference:url,horizon3.ai/attack-research/attack-blogs/cve-2025-34508-another-file-sharing-application-another-path-traversal/; reference:cve,2025-34508; classtype:web-application-attack; sid:2063026; rev:1; metadata:attack_target Server, created_at 2025_06_17, cve CVE_2025_34508, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_06_17, mitre_tactic
No public exploits indexed.
2025-06-17
Published