Path Traversal Vulnerability in tftpsync by SUSE
CVE-2025-53880

8.7HIGH

Key Information:

Vendor: Suse
Status: Container Suse/manager/4.3/proxy-httpd:latest; Container Suse/manager/5.0/x86 64/proxy-httpd:latest; Container Suse/multi-linux-manager/5.1/x86 64/proxy-httpd:latest; Suse Manager Proxy Lts 4.3
Vendor: CVE Published:; 30 October 2025

What is CVE-2025-53880?

A Path Traversal vulnerability exists in the tftpsync application, allowing an adjacent network remote attacker to manipulate files on the filesystem. This can include writing or deleting files using the privileges of the unprivileged wwwrun user. While the endpoint does not require authentication, access is controlled to a specified list of allowed IP addresses, which could still pose significant risk if those addresses are compromised.

Affected Version(s)

Container suse/manager/4.3/proxy-httpd:latest ? < 4.3.11-150400.3.15.3

Container suse/manager/5.0/x86_64/proxy-httpd:latest ? < 5.0.3-150600.3.6.4

Container suse/multi-linux-manager/5.1/x86_64/proxy-httpd:latest ? < 5.1.3-150700.3.3.3

References

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-53880

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 30, 2025
Vulnerability Reserved
Jul 11, 2025

Credit

Paolo Perego of SUSE

JSON

Suse

What is CVE-2025-53880?

Affected Version(s)

References

CVSS V4

Timeline

Credit