tftpsync Path Traversal Write/Del via TFTP Scripts (CVE-2025-53880)
CVE-2025-53880 Published on October 30, 2025
susemanager-tftpsync-recv allows arbitrary file creation and deletion due to path traversal
A Path Traversal vulnerability in the tftpsync/add and tftpsync/delete scripts allows a remote attacker on an adjacent network to write or delete files on the filesystem with the privileges of the unprivileged wwwrun user. Although the endpoint is unauthenticated, access is restricted to a list of allowed IP addresses.
Weakness Type
Path Traversal: '.../...//'
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.
Products Associated with CVE-2025-53880
Want to know whenever a new CVE is published for Suse Manager? stack.watch will email you.
Affected Versions
Container suse/manager/4.3/proxy-httpd:latest:- Version ? and below 4.3.11-150400.3.15.3 is affected.
- Version ? and below 5.0.3-150600.3.6.4 is affected.
- Version ? and below 5.1.3-150700.3.3.3 is affected.
- Version ? and below 4.3.11-150400.3.15.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.