CVE-2025-46093

Published: Aug 4, 2025Modified: Aug 7, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

LiquidFiles before 4.1.2 supports FTP SITE CHMOD for mode 6777 (setuid and setgid), which allows FTPDrop users to execute arbitrary code as root by leveraging the Actionscript feature and the sudoers configuration.

Affected (1)

Products: Liquidfiles: Liquidfiles

Liquidfiles

1 product

Liquidfiles

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Liquidfiles Liquidfiles	Before 4.1.2

Related CWEs

CWE-732

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (4)

https://docs.liquidfiles.com/release_notes/version_4-1-x.html

Source: cve@mitre.org

Release Notes

https://gist.github.com/nikolai0x/f61a8bfcdaa244e0c46931d74d10c4ea

Source: cve@mitre.org

Third Party Advisory

https://projectblack.io/blog/liquidfiles-vulnerability-authenticated-rce/

Source: cve@mitre.org

ExploitThird Party Advisory

https://projectblack.io/blog/liquidfiles-vulnerability-authenticated-rce/

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitThird Party Advisory

Timeline

No history available yet.