Cyber Resilience

CVE-2025-66945

CriticalPublic PoC

Published: 03 March 2026

Published
03 March 2026
Modified
04 March 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0053 40.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-66945 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Zdir Zdir. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-66945, published on 2026-03-03, is a path traversal vulnerability in the ZIP extraction API of Zdir Pro 4.x. The issue affects the backend endpoint at /api/extract, where processing a crafted ZIP archive enables files to be written outside the intended directory. This can result in arbitrary file overwrites and potentially remote code execution. The vulnerability carries a CVSS 3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-787.

An unauthenticated remote attacker can exploit this vulnerability by submitting a specially crafted ZIP archive to the /api/extract endpoint. No user interaction or privileges are required, allowing low-complexity network-based attacks. Successful exploitation enables arbitrary file overwrites beyond the extraction directory, leading to high impacts on confidentiality and integrity, with potential escalation to remote code execution depending on the overwritten files.

Advisories providing details on mitigations and patches are available at https://github.com/kaliworld/Zdir-Pro-Zip-slip-vulnerability/ and https://zeroday.endlessparadox.com/posts/cve-2025-66945/.

EU & UK References

Vulnerability details

A path traversal vulnerability exists in the ZIP extraction API of Zdir Pro 4.x. When a crafted ZIP archive is processed by the backend at /api/extract, files may be written outside the intended directory, leading to arbitrary file overwrite and…

more

potentially remote code execution

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a path traversal in a public-facing web API endpoint (/api/extract) allowing unauthenticated remote arbitrary file overwrites via crafted ZIP, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-27807Shared CWE-787
CVE-2024-48856Shared CWE-787
CVE-2025-14234Shared CWE-787
CVE-2018-25223Shared CWE-787
CVE-2018-25154Shared CWE-787
CVE-2024-57704Shared CWE-787
CVE-2025-29384Shared CWE-787
CVE-2024-12648Shared CWE-787
CVE-2025-30276Shared CWE-787
CVE-2025-25746Shared CWE-787

Affected Assets

zdir
zdir
4.1.1 — 4.6.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of information inputs, directly preventing path traversal in ZIP extraction by sanitizing and canonicalizing file paths in crafted archives.

prevent

Mandates timely flaw remediation, directly addressing and patching the specific path traversal vulnerability in the /api/extract endpoint.

prevent

Enforces access controls to limit file write operations to the intended extraction directory, reducing the impact of unauthorized overwrites.

References