CVE-2020-37086

MEDIUM

Easy Transfer 1.7 iOS - Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37086. PoCs published by Vulnerability-Lab.

AI-analyzed exploit summary The exploit demonstrates a directory traversal vulnerability in Easy Transfer v1.7 for iOS, allowing remote attackers to access sensitive system paths via manipulated GET requests. It also includes proof-of-concept payloads for persistent XSS vulnerabilities in the 'Create Folder' and 'Move/Edit' functions.

Description

Easy Transfer 1.7 iOS mobile application contains a directory traversal vulnerability that allows remote attackers to access unauthorized file system paths without authentication. Attackers can exploit the vulnerability by manipulating path parameters in GET and POST requests to list or download sensitive system files and inject malicious scripts into application parameters.

Exploits (1)

exploitdb WORKING POC

by Vulnerability-Lab · textwebappsios

https://www.exploit-db.com/exploits/48395

View Code ZIP pw:eip

The exploit demonstrates a directory traversal vulnerability in Easy Transfer v1.7 for iOS, allowing remote attackers to access sensitive system paths via manipulated GET requests. It also includes proof-of-concept payloads for persistent XSS vulnerabilities in the 'Create Folder' and 'Move/Edit' functions.

Classification

Working Poc 90%

Attack Type

Info Leak | Xss

Complexity

Trivial

Reliability

Reliable

Target: Easy Transfer v1.7 for iOS

No auth needed

Prerequisites: Network access to the target device

MITRE ATT&CK

T1006 - Direct Volume Access T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/48395

Various Sources technical-description exploit

https://www.vulnerability-lab.com/get_content.php?id=2223

Various Sources product

https://apps.apple.com/us/app/easy-transfer-wifi-transfer/id1484667078

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/easy-transfer-for-ios-directory-traversal

Scores

CVSS v3 6.2

EPSS 0.0050

EPSS Percentile 38.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (1)

Rubikon Teknoloji/Easy Transfer 1.7

Published Feb 03, 2026

Tracked Since Feb 18, 2026