CVE-2025-8356
published 2025-08-08CVE-2025-8356: In Xerox FreeFlow Core version 8.0.4, an attacker can exploit a Path Traversal vulnerability to access unauthorized files on the server. This can lead to…
PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
14.72%
96.2th percentile
In Xerox FreeFlow Core version 8.0.4, an attacker can exploit a Path Traversal vulnerability to access unauthorized files on the server. This can lead to Remote Code Execution (RCE), allowing the attacker to run arbitrary commands on the system.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | >= 4.5.0 < 5.4.302 | 5.4.302 |
| linux | linux_kernel | >= 5.11.0 < 5.15.197 | 5.15.197 |
| linux | linux_kernel | >= 5.16.0 < 6.1.159 | 6.1.159 |
| linux | linux_kernel | >= 5.5.0 < 5.10.247 | 5.10.247 |
| linux | linux_kernel | >= 6.13.0 < 6.17.10 | 6.17.10 |
| linux | linux_kernel | >= 6.2.0 < 6.6.118 | 6.6.118 |
| linux | linux_kernel | >= 6.7.0 < 6.12.60 | 6.12.60 |
| xerox | freeflow_core | < 8.0.5 | 8.0.5 |
| xerox | freeflow_core | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Xerox FreeFlow Core Arbitrary File Upload/Directory Traversal Attempt (CVE-2025-8356)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:1; content:"/"; http.content_type; content:"multipart/related"; http.request_body; content:"application/vnd.cip4-jmf+xml"; fast_pattern; content:"Content-Disposition|3a 20|attachment|3b 20|filename|3d 22|"; distance:0; pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,horizon3.ai/attack-research/attack-blogs/from-support-ticket-to-zero-day/; reference:cve,2025-8536; reference:cve,2025-8356; classtype:attempted-admin; sid:2064001; rev:1; metadata:affected_product Xerox, attack_target Server, tls_state plaintext, created_at 2025_08_13, cve CVE_2025_8356, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Look for HTTP POST requests with Content-Type 'multipart/related' containing 'application/vnd.cip4-jmf+xml' in the body — this is the CIP4/JMF protocol abused for the file upload vector.
- →Detect path traversal sequences in the Content-Disposition filename field: look for dot-dot sequences using literal dots or URL-encoded variants (%2e), combined with forward/back slashes or their encoded forms (%2f, %5c), appearing two or more times consecutively.
- →Flag HTTP POST requests where the body contains 'Content-Disposition: attachment; filename="' followed by a path traversal pattern — this indicates an attempted arbitrary file upload to an unauthorized path.
- →Rule targets plaintext (non-TLS) traffic inbound to the server; deploy at both perimeter and internal network chokepoints for coverage.
- ·The Snort rule references CVE-2025-8536 in addition to CVE-2025-8356 — operators should confirm whether both CVEs share the same attack vector or if the rule was intentionally written to cover both.
- ·The URI match uses 'bsize:1; content:"/"' which matches any URI beginning with '/'. This is intentionally broad and may produce false positives; tune with additional body/header conditions before deploying in block mode.
- ·The vulnerability affects Xerox FreeFlow Core version 8.0.4 specifically; scope detection rules to hosts running this product/version to reduce noise. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
osv·2025-12-16
CVE-2025-68229 scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we
attempt to dereference it in tcm_loop_tpg_address_show() we will get a
segfault, see below for an example. So, check tl_hba->sh before
dereferencing it.
Unable to allocate struct scsi_host
BUG: kernel NULL pointer dereference, address: 0000000000000194
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1
Hardware name: Microsoft Corporation Virtual Machine/Virtual Mac
GHSA
GHSA-6rpm-hqp2-mf48: In Xerox FreeFlow Core version 8
ghsa_unreviewed·2025-08-08
CVE-2025-8356 [CRITICAL] CWE-22 GHSA-6rpm-hqp2-mf48: In Xerox FreeFlow Core version 8
In Xerox FreeFlow Core version 8.0.4, an attacker can exploit a Path Traversal vulnerability to access unauthorized files on the server. This can lead to Remote Code Execution (RCE), allowing the attacker to run arbitrary commands on the system.
Red Hat
kernel: scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
vendor_redhat·2025-12-16·CVSS 5.5
CVE-2025-68229 [MEDIUM] CWE-252 kernel: scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
kernel: scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we
attempt to dereference it in tcm_loop_tpg_address_show() we will get a
segfault, see below for an example. So, check tl_hba->sh before
dereferencing it.
Unable to allocate struct scsi_host
BUG: kernel NULL pointer dereference, address: 0000000000000194
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1
Hardware name: Microsoft Corporation Virtual Machine/Virtua
Suricata
ET WEB_SPECIFIC_APPS Xerox FreeFlow Core Arbitrary File Upload/Directory Traversal Attempt (CVE-2025-8356)
suricata·2025-08-13·CVSS 9.8
CVE-2025-8536 [CRITICAL] ET WEB_SPECIFIC_APPS Xerox FreeFlow Core Arbitrary File Upload/Directory Traversal Attempt (CVE-2025-8356)
ET WEB_SPECIFIC_APPS Xerox FreeFlow Core Arbitrary File Upload/Directory Traversal Attempt (CVE-2025-8356)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Xerox FreeFlow Core Arbitrary File Upload/Directory Traversal Attempt (CVE-2025-8356)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:1; content:"/"; http.content_type; content:"multipart/related"; http.request_body; content:"application/vnd.cip4-jmf+xml"; fast_pattern; content:"Content-Disposition|3a 20|attachment|3b 20|filename|3d 22|"; distance:0; pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,horizon3.ai/attack-research/attack-blogs/from-support-ticket-to-zero-day/; reference:cve,2025-8536; reference:cve,2025-8356; classtype:attempted-adm
No public exploits indexed.
Greynoiseio
NoiseLetter August 2025
blogs_greynoiseio
NoiseLetter August 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
CVE-2025-68229 kernel: scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
bugzilla·2025-12-16
CVE-2025-68229 [MEDIUM] CVE-2025-68229 kernel: scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
CVE-2025-68229 kernel: scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we
attempt to dereference it in tcm_loop_tpg_address_show() we will get a
segfault, see below for an example. So, check tl_hba->sh before
dereferencing it.
Unable to allocate struct scsi_host
BUG: kernel NULL pointer dereference, address: 0000000000000194
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1
Hardware name: Microsoft Corporation Virt
2025-08-08
Published