CVE-2025-53880 HIGH

CVE-2025-53880: susemanager-tftpsync-recv allows arbitrary file creation and deletion due to path traversal

Vendor Suse
Product Container suse/manager/4.3/proxy-httpd:latest
Weakness CWE-35
Published October 30, 2025
Last update February 26, 2026

CVSS base score

8.7/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A Path Traversal vulnerability in the tftpsync/add and tftpsync/delete scripts allows a remote attacker on an adjacent network to write or delete files on the filesystem with the privileges of the unprivileged wwwrun user. Although the endpoint is unauthenticated, access is restricted to a list of allowed IP addresses.

Key dates

02Disclosure timeline

October 30, 2025 CVE published
February 26, 2026 Record updated