CVE-2025-53897 is a Cross-Site Request Forgery (CSRF) vulnerability identified in Kiteworks Managed File Transfer (MFT) software versions prior to 9.1.0. Kiteworks MFT is used to orchestrate end-to-end file transfer workflows, often in environments requiring secure and compliant data handling. The vulnerability arises because the application fails to adequately verify the authenticity of requests made by authenticated users, specifically administrators. An attacker can craft a malicious webpage that, when visited by an administrator, causes the administrator's browser to send unauthorized requests to the Kiteworks MFT system without their consent. This can lead to unauthorized disclosure of sensitive log information, which may contain details about system operations, user activities, or other confidential data. The CVSS v3.1 base score of 6.8 reflects a medium severity, with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), and high impact on confidentiality and integrity (C:H/I:H), but no impact on availability (A:N). The vulnerability has been addressed and patched in Kiteworks MFT version 9.1.0. No known exploits have been reported in the wild as of the publication date. This vulnerability is classified under CWE-352, which covers CSRF issues where unauthorized commands are transmitted from a user that the web application trusts. The risk primarily affects administrators who have elevated privileges and access to sensitive system logs. Exploitation requires social engineering to lure an administrator into visiting a malicious page, making user awareness and patching critical defenses.

For European organizations, the impact of CVE-2025-53897 can be significant, particularly for those relying on Kiteworks MFT for secure file transfer workflows involving sensitive or regulated data. Unauthorized access to log information can lead to exposure of operational details, user activity, and potentially sensitive metadata, which may facilitate further attacks or data breaches. This can undermine confidentiality and integrity of the system and may violate data protection regulations such as GDPR if personal or sensitive data is exposed. Organizations in sectors like finance, healthcare, government, and critical infrastructure, which often use secure file transfer solutions, could face reputational damage, regulatory penalties, and operational disruptions if exploited. Although availability is not impacted, the breach of confidentiality and integrity poses a medium risk that necessitates prompt remediation. The requirement for user interaction and high attack complexity somewhat limits the ease of exploitation but does not eliminate the threat, especially in environments where administrators may be targeted by phishing or social engineering campaigns.

European organizations should immediately upgrade Kiteworks MFT to version 9.1.0 or later, where this vulnerability has been patched. Until the patch is applied, organizations should implement compensating controls such as: 1) Educating administrators about the risks of CSRF and the importance of not visiting untrusted or suspicious websites while logged into administrative interfaces. 2) Employing web application firewalls (WAFs) with rules designed to detect and block CSRF attack patterns targeting Kiteworks MFT. 3) Enforcing strict Content Security Policy (CSP) headers to reduce the risk of malicious content execution. 4) Restricting administrative access to the Kiteworks MFT interface to trusted networks or VPNs to reduce exposure. 5) Monitoring logs for unusual access patterns or requests that could indicate exploitation attempts. 6) Implementing multi-factor authentication (MFA) for administrative accounts to reduce the risk of credential compromise. 7) Reviewing and minimizing the number of users with administrative privileges to reduce the attack surface. These measures, combined with timely patching, will significantly reduce the risk posed by this vulnerability.