Cyber Resilience

CVE-2025-56132

High

Published: 30 September 2025

Published
30 September 2025
Modified
15 October 2025
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0241 85.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-56132 is a high-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Liquidfiles Liquidfiles. Its CVSS base score is 7.3 (High).

Operationally, ranked in the top 14.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

LiquidFiles filetransfer server contains a user enumeration vulnerability in its password reset functionality, where the application returns distinguishable responses for valid versus invalid email addresses. This affects all versions prior to 4.2, which rely solely on basic IP-based rate limiting, while version 4.2 adds user-based lockout mechanisms that are not enabled by default. The issue is tracked as CWE-305 with a CVSS 3.1 score of 7.3.

Unauthenticated attackers can exploit the flaw by submitting password reset requests and observing response differences to confirm the existence of registered accounts. The IP-based controls present before version 4.2 can be bypassed through request distribution across multiple IPs or proxies, enabling enumeration that facilitates follow-on attacks such as password spraying.

Release notes for version 4.2 document the addition of user-level lockout protections, though enumeration remains possible under default settings. The EPSS score rose from a low baseline to a peak of 0.0783 on 2026-02-03 before receding to the current value of 0.0241, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable responses for valid and invalid email addresses, allowing unauthenticated attackers to determine the existence of user accounts. Version 4.2 introduces user-based…

more

lockout mechanisms to mitigate brute-force attacks, user enumeration remains possible by default. In versions prior to 4.2, no such user-level protection is in place, only basic IP-based rate limiting is enforced. This IP-based protection can be bypassed by distributing requests across multiple IPs (e.g., rotating IP or proxies). Effectively bypassing both login and password reset security controls. Successful exploitation allows an attacker to enumerate valid email addresses registered for the application, increasing the risk of follow-up attacks such as password spraying.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

liquidfiles
liquidfiles
≤ 4.2.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References