CVE-2025-34120

HIGH

LimeSurvey <2.06+ Build 151014 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-34120. PoCs published by Pichaya Morimoto, Christian Mehlmauer, including Metasploit module auxiliary/admin/http/limesurvey_file_download.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated file download vulnerability in LimeSurvey by leveraging a deserialization flaw to traverse directories and download arbitrary files as a ZIP archive. The exploit constructs a serialized payload to manipulate file paths and retrieves the file via HTTP.

Description

An unauthenticated file download vulnerability exists in LimeSurvey versions from 2.0+ up to and including 2.06+ Build 151014. The application fails to validate serialized input to the admin backup endpoint (`index.php/admin/update/sa/backup`), allowing attackers to specify arbitrary file paths using a crafted `datasupdateinfo` payload. The files are packaged in a ZIP archive and made available for download without authentication. This vulnerability can be exploited to read arbitrary files on the host system, including sensitive OS and configuration files.

Exploits (1)

metasploit WORKING POC

by Pichaya Morimoto, Christian Mehlmauer · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/limesurvey_file_download.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated file download vulnerability in LimeSurvey by leveraging a deserialization flaw to traverse directories and download arbitrary files as a ZIP archive. The exploit constructs a serialized payload to manipulate file paths and retrieves the file via HTTP.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: LimeSurvey 2.0+ to 2.06+ Build 151014

No auth needed

Prerequisites: Network access to the target LimeSurvey instance · Knowledge of the target file path

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Various Sources vendor-advisory patch

https://web.archive.org/web/20210123073627/https://www.limesurvey.org/blog/22-security/136-limesurvey-security-advisory-10-2015

Various Sources exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/admin/http/limesurvey_file_download.rb

Various Sources exploit

https://packetstorm.news/files/id/180855

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/limesurvey-unauthenticated-arbitrary-file-download

Vendor Advisory third-party-advisory technical-description

https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-lime-survey/

Scores

CVSS v4 8.7

EPSS 0.6994

EPSS Percentile 98.7%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-22 CWE-306

Status published

Products (1)

LimeSurvey GmbH/LimeSurvey 2.0+ - 2.06+ Build 151014

Published Jul 16, 2025

Tracked Since Feb 18, 2026