Kiteworks MFT is vulnerable to an Incorrectly Specified Destination in...

7.2 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Description

Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, the back-end of Kiteworks MFT is vulnerable to an incorrectly specified destination in a communication channel which allows an attacker with administrative privileges on the system under certain circumstances to intercept upstream communication which could lead to an escalation of privileges. This issue has been patched in version 9.1.0.

Basic Information

ID CVE-2025-53899

Source GitHub_M

Published Nov 29, 2025 at 02:25

Affected Product

Vendor kiteworks

Product security-advisories

Version < 9.1.0

Affected Versions kiteworks security-advisories < 9.1.0

CWE Classification

CWE-941

References

github.com /kiteworks/security-advisories/security/advisories/GHSA-5gx5-vcpp-8cr5

{
    "lastseen": "",
    "description": "Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, the back-end of Kiteworks MFT is vulnerable to an incorrectly specified destination in a communication channel which allows an attacker with administrative privileges on the system under certain circumstances to intercept upstream communication which could lead to an escalation of privileges. This issue has been patched in version 9.1.0.",
    "published": "2025-11-29T02:25:23.493Z",
    "modified": "2025-11-29T02:25:23.493Z",
    "type": "cve",
    "title": "Kiteworks MFT is vulnerable to an Incorrectly Specified Destination in a Communication Channel",
    "source": "GitHub_M",
    "references": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-5gx5-vcpp-8cr5",
    "id": "CVE-2025-53899",
    "bulletinFamily": "",
    "cwe": [
        "CWE-941"
    ],
    "cvelist": null,
    "sourceData": "kiteworks security-advisories < 9.1.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "security-advisories",
    "version": "< 9.1.0",
    "vendor": "kiteworks",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Kiteworks MFT is vulnerable to an Incorrectly Specified Destination in a Communication Channel_CVE-2025-53899