Home

Description

A path traversal vulnerability in unauthenticated upload functionality allows a malicious actor to upload binaries and scripts to the server’s configuration and web root directories, achieving remote code execution on the Unified PAM server.

PUBLISHED Reserved 2025-06-26 | Published 2025-08-25 | Updated 2025-08-25 | Assigner rapid7




CRITICAL: 9.4CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

9.0.*
affected

Credits

Aaron Herndon, Principal Security Consultant, and Marcus Chang, Security Consultant, both of Rapid7. finder

References

www.rapid7.com/...m-multiple-critical-vulnerabilities-fixed/ third-party-advisory

cve.org (CVE-2025-53120)

nvd.nist.gov (CVE-2025-53120)

Download JSON