CVE-2025-46093 PUBLISHED

Assigner: mitre
Reserved: 22.04.2025 Published: 04.08.2025 Updated: 05.08.2025

LiquidFiles before 4.1.2 supports FTP SITE CHMOD for mode 6777 (setuid and setgid), which allows FTPDrop users to execute arbitrary code as root by leveraging the Actionscript feature and the sudoers configuration.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.9

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	LiquidFiles
Product	LiquidFiles
Versions	Default: unaffected affected from 0 to 4.1.2 (excl.)

References

https://docs.liquidfiles.com/release_notes/version_4-1-x.html
https://projectblack.io/blog/liquidfiles-vulnerability-authenticated-rce/
https://gist.github.com/nikolai0x/f61a8bfcdaa244e0c46931d74d10c4ea

Problem Types

CWE-732 Incorrect Permission Assignment for Critical Resource CWE