CVE-2025-34110 is a critical directory traversal vulnerability affecting ColoradoFTP Server versions up to and including 1.3 Build 8 on Windows platforms. The vulnerability arises from improper sanitization of user-supplied file paths in the FTP GET and PUT command handlers. Specifically, the server fails to adequately restrict pathname inputs, allowing unauthenticated attackers to include traversal sequences (such as "../") in FTP commands. This enables attackers to escape the configured FTP root directory and read or write arbitrary files on the underlying Windows system. Because the flaw requires no authentication or user interaction, and the attack vector is network accessible via FTP, exploitation is straightforward. The vulnerability impacts confidentiality by exposing sensitive system files, integrity by permitting unauthorized file modifications, and potentially availability if critical system files are overwritten or deleted. The CVSS 4.0 base score of 9.3 reflects the high severity, with network attack vector, no privileges or user interaction required, and high impact on confidentiality and integrity. This issue is specific to the Windows version of ColoradoFTP Server and does not affect other platforms. No patches have been published yet, and no known exploits are currently observed in the wild. However, the presence of this vulnerability in an FTP server—a service often exposed to external networks—poses a significant security risk if left unmitigated.

For European organizations, the impact of this vulnerability can be severe. Many enterprises and institutions still use FTP servers for legacy file transfer operations, including in sectors such as manufacturing, finance, healthcare, and government. Exploitation could lead to unauthorized disclosure of sensitive data, including personal data protected under GDPR, intellectual property, or system configuration files. Unauthorized file writes could allow attackers to implant malware, modify application files, or disrupt operations by corrupting critical files. Given the unauthenticated nature of the exploit, attackers could leverage this vulnerability to gain footholds within networks, potentially escalating to broader compromise. The risk is heightened for organizations with externally accessible FTP servers running vulnerable versions of ColoradoFTP on Windows. Additionally, the lack of available patches means organizations must rely on alternative mitigations until a fix is released. This vulnerability also raises compliance concerns under European data protection regulations due to the potential exposure of personal and sensitive data.

1. Immediate mitigation should include restricting external access to ColoradoFTP servers by firewall rules or network segmentation, limiting exposure to trusted internal networks only. 2. Disable or replace ColoradoFTP Server on Windows with a more secure and actively maintained FTP server solution that properly sanitizes file paths. 3. Monitor FTP server logs for unusual GET or PUT commands containing traversal sequences (e.g., '../') and implement intrusion detection/prevention rules to block such attempts. 4. Employ application-layer firewalls or FTP proxies capable of sanitizing and validating FTP commands to prevent traversal payloads. 5. Until a vendor patch is available, consider disabling FTP services entirely if feasible, or enforce strict access controls and multi-factor authentication on FTP access points. 6. Conduct thorough audits of systems running ColoradoFTP to identify vulnerable instances and prioritize remediation. 7. Educate IT and security teams about this vulnerability to ensure rapid detection and response to any exploitation attempts. 8. Prepare incident response plans to address potential breaches resulting from exploitation of this vulnerability.