cbcvebase.
CVE-2025-56132
published 2025-09-30

CVE-2025-56132: LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable…

PriorityP278high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.65%
46.4th percentile
LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable responses for valid and invalid email addresses, allowing unauthenticated attackers to determine the existence of user accounts. Version 4.2 introduces user-based lockout mechanisms to mitigate brute-force attacks, user enumeration remains possible by default. In versions prior to 4.2, no such user-level protection is in place, only basic IP-based rate limiting is enforced. This IP-based protection can be bypassed by distributing requests across multiple IPs (e.g., rotating IP or proxies). Effectively bypassing both login and password reset security controls. Successful exploitation allows an attacker to enumerate valid email addresses registered for the application, increasing the risk of follow-up attacks such as password spraying.

Affected

1 ranges
VendorProductVersion rangeFixed in
liquidfilesliquidfiles< 4.2.04.2.0

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /password_reset HTTP/1.1
path/password_reset
otherinvalid_email
  • Detect user enumeration attempts against LiquidFiles password reset endpoint: look for POST requests to /password_reset with body parameter 'user[email]=' from unauthenticated sources.
  • A distinguishable response body containing 'invalid_email' alongside 'LiquidFiles' on a 200 OK after a password reset attempt indicates the application is leaking account existence information.
  • Presence of a Set-Cookie header with '_filetransfer_session' combined with a 302 redirect on the password reset POST can be used to fingerprint a valid LiquidFiles instance responding to enumeration probes.
  • Use Shodan/FOFA queries to identify exposed LiquidFiles instances as potential targets: http.title:"LiquidFiles" / title="LiquidFiles".
  • IP-based rate limiting bypass via distributed/rotating IPs or proxies is a key attacker technique; monitor for high-volume password reset requests originating from many distinct source IPs targeting /password_reset.
  • ·User enumeration via distinguishable password reset responses remains possible by default even in version 4.2, which only adds user-based lockout — it does not normalize responses.
  • ·In versions prior to 4.2, only IP-based rate limiting is enforced on the password reset endpoint, with no user-level protection, making enumeration trivially scalable.

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
vulncheck7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.