Cyber Resilience

CVE-2025-53896

High

Published: 29 November 2025

Published
29 November 2025
Modified
02 December 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0003 9.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53896 is a high-severity Insufficient Session Expiration (CWE-613) vulnerability in Accellion Kiteworks Managed File Transfer. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 9.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, a bug in Kiteworks MFT could cause under certain circumstances that a user's active session would not properly time out due to inactivity. This issue has been patched in…

more

version 9.1.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Insufficient session expiration allows low-privilege valid accounts to persist access indefinitely without inactivity timeouts, facilitating prolonged unauthorized use of legitimate credentials.

Affected Assets

accellion
kiteworks managed file transfer
≤ 9.1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-613

Locks the device (typically after inactivity) until re-authentication, addressing insufficient session expiration by preventing indefinite access.

addresses: CWE-613

Automatically terminating sessions after a defined period directly enforces session expiration, preventing indefinite session lifetimes that attackers can exploit.

addresses: CWE-613

Re-authentication after inactivity or time-based triggers prevents indefinite use of potentially hijacked or stale sessions.

addresses: CWE-613

Terminating sessions and network connections upon completion prevents insufficient session expiration.

addresses: CWE-613

Directly enforces termination of network sessions after inactivity or end-of-session, preventing indefinite session lifetime.

addresses: CWE-613

Consistent clocks across systems allow session expiration and timeout enforcement to function as intended in distributed environments.

addresses: CWE-613

When the non-persistent artifact is a session or connection, mandatory termination implements the missing expiration that CWE-613 describes.

addresses: CWE-613

Timed refresh of session-related information or on-demand generation plus deletion implements proper session expiration.

References