CVE-2025-46093
CRITICALLiquidFiles < 4.1.2 - Authenticated Remote Code Execution via FTP SITE CHMOD
Title source: llmDescription
LiquidFiles before 4.1.2 supports FTP SITE CHMOD for mode 6777 (setuid and setgid), which allows FTPDrop users to execute arbitrary code as root by leveraging the Actionscript feature and the sudoers configuration.
References (3)
Core 3
Core References
Third Party Advisory
https://gist.github.com/nikolai0x/f61a8bfcdaa244e0c46931d74d10c4ea
Exploit, Third Party Advisory
https://projectblack.io/blog/liquidfiles-vulnerability-authenticated-rce/
Scores
CVSS v3
9.9
EPSS
0.0050
EPSS Percentile
38.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-732
Status
published
Products (1)
liquidfiles/liquidfiles
< 4.1.2
Published
Aug 04, 2025
Tracked Since
Feb 18, 2026