Path Traversal Vulnerability in ZendTo File Sharing Application
CVE-2025-34508

5.3MEDIUM

Key Information:

Vendor

Zendto

Status
Zendto
Vendor
CVE Published:
17 June 2025

Badges

πŸ“ˆ Score: 117πŸ‘Ύ Exploit Exists🟑 Public PoCπŸ“° News Worthy

What is CVE-2025-34508?

CVE-2025-34508 is a critical path traversal vulnerability identified in the ZendTo file sharing application, specifically affecting versions 6.15-7 and earlier. ZendTo serves as a secure file transfer solution, enabling users to share large files over the internet safely. This vulnerability enables a remote, authenticated attacker to exploit the file dropoff functionality to access the files of other users on the platform, as well as potentially retrieving sensitive files from the underlying host system. Additionally, attackers have the capability to initiate a denial of service, disrupting the file-sharing service for users. The technical implications of this vulnerability underscore the importance of authenticating and validating user inputs to prevent unauthorized access to sensitive data.

Potential impact of CVE-2025-34508

  1. Data Breach Risk: The vulnerability allows attackers to access and exfiltrate files belonging to other users, which can lead to significant data leaks and breaches of confidential information.

  2. Denial of Service Attacks: Exploiting this vulnerability could enable attackers to disrupt the availability of the ZendTo service, resulting in operational downtime and affecting business continuity.

  3. Host System Compromise: The ability for an attacker to retrieve files from the host system poses a severe risk, as it could expose critical system files and sensitive configurations, potentially leading to further exploitation and system takeover.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

ZendTo 0 < 6.15-8

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-34508 - Proof of Concept

News Articles

favicon imageCyber Kendra

Critical Flaw in ZendTo File Transfer App Exposes User Data Across Organizations

Security researchers have uncovered a serious path traversal vulnerability in ZendTo, a widely used file-sharing platform trusted by universities, government agencies, and healthcare organizations worldwide....

favicon imageCentre for Cybersecurity Belgium

Warning: Path Traversal Vulnerability in ZendTo (CVE-2025-34508), Patch Immediately! | CCB Safeonweb

Gepubliceerd : 23/06/2025 * Last update: 23/06/2025 * Affected software:: ZendTo versions 6.15-7 and prior * Type: Path Traversal Vulnerability * CVE/CVSS β†’ CVE-2025-34508:...

favicon imageSonicWall

ZendTo CVE-2025-34508: SonicWall Protections Released

A path traversal vulnerability in ZendTo could expose sensitive files. Learn how SonicWall helps protect against CVE-2025-34508.

References

https://horizon3.ai/attack-research/attack-blogs/cve-2025...
third-party-advisorytechnical-descriptionexploit
https://www.vulncheck.com/advisories/zendto-path-traversal
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by Horizon3.ai

  • Vulnerability published

  • Vulnerability Reserved

Credit

Horizon3.ai
JSON
.