CVE-2025-34508
ZendTo Path Traversal Vulnerability
CVE-2025-34508 is a path traversal vulnerability discovered by Horizon3.ai in ZendTo, a web-based file transfer application. This critical vulnerability affects ZendTo versions 6.15-7 and prior. It allows remote attackers to bypass security controls, enabling them to access or modify sensitive information of other users.
Exploitation allows an attacker to specify arbitrary files, moving them from any accessible location to a newly created dropoff directory. This action reveals the contents of the moved files. For instance, an attacker could move the zendto.log file to gain access to dropoff claimIDs, potentially leading to access to other user-uploaded content. Moving critical files, such as the ZendTo database, could also result in a denial of service
Impact
Successful exploitation of this vulnerability can lead to:
- Unauthorized access to sensitive user information.
- Modification of sensitive data.
- Potential denial of service by moving critical system files.
- Full control over the affected system if critical files like the database are manipulated.
Mitigations
- It is strongly recommended to reference the vendor advisory and upgrade ZendTo immediately to the patched version 6.15-8 or later.
Rapid Response N-Day Testing
🔗 CVE-2025-34508: Another File Sharing Application, Another Path Traversal | H3 Analysis
🔗 CVE-2025-34508 | NIST Detail
