CVE-2025-34110: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in ColoradoFTP Server
A directory traversal vulnerability exists in ColoradoFTP Server ≤ 1.3 Build 8 for Windows, allowing unauthenticated attackers to read or write arbitrary files outside the configured FTP root directory. The flaw is due to insufficient sanitation of user-supplied file paths in the FTP GET and PUT command handlers. Exploitation is possible by submitting traversal sequences during FTP operations, enabling access to system-sensitive files. This issue affects only the Windows version of ColoradoFTP.
AI Analysis
Technical Summary
This vulnerability in ColoradoFTP Server (≤ 1.3 Build 8 for Windows) arises from improper limitation of pathname to a restricted directory (CWE-22). Attackers can submit crafted FTP GET and PUT commands containing directory traversal sequences to access or modify files outside the intended FTP root directory. The issue stems from insufficient sanitization of user-supplied file paths, enabling unauthorized file system access without authentication. The vulnerability is specific to the Windows platform version of ColoradoFTP Server. No known exploits in the wild have been reported, and no patch or remediation details are currently available.
Potential Impact
Successful exploitation allows unauthenticated attackers to read or write arbitrary files on the affected system outside the FTP root directory. This can lead to unauthorized disclosure of sensitive information, modification or deletion of critical files, and potential system compromise. The vulnerability is rated critical with a CVSS 4.0 score of 9.3, reflecting its high impact and ease of exploitation over the network without privileges or user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the FTP server to trusted networks and monitor for suspicious FTP commands. Consider disabling or limiting FTP PUT and GET commands if possible. Avoid exposing the vulnerable ColoradoFTP Server version to untrusted networks.
CVE-2025-34110: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in ColoradoFTP Server
Description
A directory traversal vulnerability exists in ColoradoFTP Server ≤ 1.3 Build 8 for Windows, allowing unauthenticated attackers to read or write arbitrary files outside the configured FTP root directory. The flaw is due to insufficient sanitation of user-supplied file paths in the FTP GET and PUT command handlers. Exploitation is possible by submitting traversal sequences during FTP operations, enabling access to system-sensitive files. This issue affects only the Windows version of ColoradoFTP.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in ColoradoFTP Server (≤ 1.3 Build 8 for Windows) arises from improper limitation of pathname to a restricted directory (CWE-22). Attackers can submit crafted FTP GET and PUT commands containing directory traversal sequences to access or modify files outside the intended FTP root directory. The issue stems from insufficient sanitization of user-supplied file paths, enabling unauthorized file system access without authentication. The vulnerability is specific to the Windows platform version of ColoradoFTP Server. No known exploits in the wild have been reported, and no patch or remediation details are currently available.
Potential Impact
Successful exploitation allows unauthenticated attackers to read or write arbitrary files on the affected system outside the FTP root directory. This can lead to unauthorized disclosure of sensitive information, modification or deletion of critical files, and potential system compromise. The vulnerability is rated critical with a CVSS 4.0 score of 9.3, reflecting its high impact and ease of exploitation over the network without privileges or user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the FTP server to trusted networks and monitor for suspicious FTP commands. Consider disabling or limiting FTP PUT and GET commands if possible. Avoid exposing the vulnerable ColoradoFTP Server version to untrusted networks.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2025-04-15T19:15:22.560Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 687654a5a83201eaaccea520
Added to database: 7/15/2025, 1:16:21 PM
Last enriched: 4/7/2026, 11:03:07 PM
Last updated: 5/9/2026, 2:21:24 AM
Views: 130
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.