cbcvebase.
CVE-2025-8356
published 2025-08-08

CVE-2025-8356: In Xerox FreeFlow Core version 8.0.4, an attacker can exploit a Path Traversal vulnerability to access unauthorized files on the server. This can lead to…

PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
14.72%
96.2th percentile
In Xerox FreeFlow Core version 8.0.4, an attacker can exploit a Path Traversal vulnerability to access unauthorized files on the server. This can lead to Remote Code Execution (RCE), allowing the attacker to run arbitrary commands on the system.

Affected

9 ranges
VendorProductVersion rangeFixed in
linuxlinux_kernel>= 4.5.0 < 5.4.3025.4.302
linuxlinux_kernel>= 5.11.0 < 5.15.1975.15.197
linuxlinux_kernel>= 5.16.0 < 6.1.1596.1.159
linuxlinux_kernel>= 5.5.0 < 5.10.2475.10.247
linuxlinux_kernel>= 6.13.0 < 6.17.106.17.10
linuxlinux_kernel>= 6.2.0 < 6.6.1186.6.118
linuxlinux_kernel>= 6.7.0 < 6.12.606.12.60
xeroxfreeflow_core< 8.0.58.0.5
xeroxfreeflow_core

Detection & IOCsextracted from sources · hover to see the quote

snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Xerox FreeFlow Core Arbitrary File Upload/Directory Traversal Attempt (CVE-2025-8356)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:1; content:"/"; http.content_type; content:"multipart/related"; http.request_body; content:"application/vnd.cip4-jmf+xml"; fast_pattern; content:"Content-Disposition|3a 20|attachment|3b 20|filename|3d 22|"; distance:0; pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,horizon3.ai/attack-research/attack-blogs/from-support-ticket-to-zero-day/; reference:cve,2025-8536; reference:cve,2025-8356; classtype:attempted-admin; sid:2064001; rev:1; metadata:affected_product Xerox, attack_target Server, tls_state plaintext, created_at 2025_08_13, cve CVE_2025_8356, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Look for HTTP POST requests with Content-Type 'multipart/related' containing 'application/vnd.cip4-jmf+xml' in the body — this is the CIP4/JMF protocol abused for the file upload vector.
  • Detect path traversal sequences in the Content-Disposition filename field: look for dot-dot sequences using literal dots or URL-encoded variants (%2e), combined with forward/back slashes or their encoded forms (%2f, %5c), appearing two or more times consecutively.
  • Flag HTTP POST requests where the body contains 'Content-Disposition: attachment; filename="' followed by a path traversal pattern — this indicates an attempted arbitrary file upload to an unauthorized path.
  • Rule targets plaintext (non-TLS) traffic inbound to the server; deploy at both perimeter and internal network chokepoints for coverage.
  • ·The Snort rule references CVE-2025-8536 in addition to CVE-2025-8356 — operators should confirm whether both CVEs share the same attack vector or if the rule was intentionally written to cover both.
  • ·The URI match uses 'bsize:1; content:"/"' which matches any URI beginning with '/'. This is intentionally broad and may produce false positives; tune with additional body/header conditions before deploying in block mode.
  • ·The vulnerability affects Xerox FreeFlow Core version 8.0.4 specifically; scope detection rules to hosts running this product/version to reduce noise.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.