CVE-2025-46093

CRITICAL

Liquidfiles < 4.1.2 - Incorrect Permission Assignment

Title source: rule

Description

LiquidFiles before 4.1.2 supports FTP SITE CHMOD for mode 6777 (setuid and setgid), which allows FTPDrop users to execute arbitrary code as root by leveraging the Actionscript feature and the sudoers configuration.

References (3)

[Release Notes] https://docs.liquidfiles.com/release_notes/version_4-1-x.html

[Third Party Advisory] https://gist.github.com/nikolai0x/f61a8bfcdaa244e0c46931d74d10c4ea

[Exploit, Third Party Advisory] https://projectblack.io/blog/liquidfiles-vulnerability-authenticated-rce/

Scores

CVSS v3 9.9

EPSS 0.0019

EPSS Percentile 40.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-732

Status published

Products (1)

liquidfiles/liquidfiles < 4.1.2

Published Aug 04, 2025

Tracked Since Feb 18, 2026