CVE-2025-53896 HIGH

CVE-2025-53896: Kiteworks MFT is vulnerable to Insufficient Session Expiration

Vendor Kiteworks
Product security-advisories
Weakness CWE-613 · Insufficient session expiration
Published November 29, 2025
Last update December 3, 2025

CVSS base score

7.1/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, a bug in Kiteworks MFT could cause under certain circumstances that a user's active session would not properly time out due to inactivity. This issue has been patched in version 9.1.0.

Key dates

02Disclosure timeline

November 29, 2025 CVE published
December 3, 2025 Record updated