CVE-2025-8356 PUBLISHED

Path Traversal leading to RCE

Assigner: Xerox
Reserved: 30.07.2025 Published: 08.08.2025 Updated: 13.08.2025

In Xerox FreeFlow Core version 8.0.4, an attacker can exploit a Path Traversal vulnerability to access unauthorized files on the server. This can lead to Remote Code Execution (RCE), allowing the attacker to run arbitrary commands on the system.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Xerox
Product	FreeFlow Core
Versions	Default: affected affected from 0 to 8.0.5 (excl.)

References

https://securitydocs.business.xerox.com/wp-content/uploads/2025/08/Xerox-Security-Bulletin-025-013-for-Freeflow-Core-8.0.5.pdf

Problem Types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE
CWE-94 Improper Control of Generation of Code ('Code Injection') CWE

Impacts

CAPEC-126 Path Traversal
CAPEC-242 Code Injection