CVE-2025-46093
Published: 04 August 2025
Summary
CVE-2025-46093 is a critical-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Liquidfiles Liquidfiles. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 40.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Patching LiquidFiles to version 4.1.2 or later removes support for FTP SITE CHMOD mode 6777, directly preventing the privilege escalation to root via setuid/setgid.
Least privilege enforcement restricts FTPDrop users from performing actions that set setuid/setgid permissions, blocking the path to arbitrary root code execution.
Access enforcement prevents unauthorized logical access operations like SITE CHMOD 6777 that enable exploitation through Actionscript and sudoers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln enables RCE+priv esc via setuid/setgid chmod abuse on public-facing FTP app combined with sudoers misconfig.
NVD Description
LiquidFiles before 4.1.2 supports FTP SITE CHMOD for mode 6777 (setuid and setgid), which allows FTPDrop users to execute arbitrary code as root by leveraging the Actionscript feature and the sudoers configuration.
Deeper analysisAI
CVE-2025-46093 is a critical vulnerability in LiquidFiles versions prior to 4.1.2, stemming from improper permission handling classified under CWE-732. The issue arises because the software supports the FTP SITE CHMOD command for mode 6777, which enables setuid and setgid permissions. This misconfiguration allows exploitation through the Actionscript feature combined with the system's sudoers setup, leading to unauthorized privilege escalation.
An authenticated attacker with low privileges, specifically an FTPDrop user, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants the ability to execute arbitrary code with root privileges, resulting in complete compromise of the system, including high confidentiality, integrity, and availability impacts, as reflected in the CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Mitigation is addressed in LiquidFiles version 4.1.2 and later, as detailed in the vendor's release notes for the 4.1.x series. Security advisories and analyses, including those from ProjectBlack and a related GitHub Gist, confirm the vulnerability as an authenticated remote code execution issue and provide further technical details on the exploit mechanism. Administrators should upgrade to the patched version immediately.
Details
- CWE(s)