ZendTo Vulnerability (CVE-2025-34508) Could Lead to Data Exposure and Service Disruption

Overview

The SonicWall Capture Labs threat research team became aware of CVE-2025-34508, a medium-severity (CVSS 6.3) path traversal vulnerability in the ZendTo file transfer application. ZendTo is an open-source, web-based tool commonly used by universities, research institutions, and enterprises to securely exchange large files with external users.

The vulnerability affects versions prior to 6.15-8 and could allow authenticated users to manipulate file paths and access or relocate arbitrary files on the server. This could expose sensitive data, impact service availability, or enable lateral movement within a compromised environment. ZendTo has released version 6.15-8 to address the issue.

Technical Overview

CVE-2025-34508 is a path traversal vulnerability found in the file upload logic of ZendTo’s “drop-off” feature. ZendTo uses a chunked upload mechanism for large files. During upload, each file chunk is associated with a chunkName parameter, which typically stores a unique alphanumeric identifier. If chunkName is set to a non-alphanumeric value (e.g., a period), ZendTo will instead store all incoming chunks in the global root upload directory (/zendto/tmp) rather than a specific subdirectory.

Additionally, the tmp_name parameter in the POST body is vulnerable. It is passed to ZendTo’s move_uploaded_file() PHP function without proper sanitization. An attacker can insert path traversal sequences such as ../../ in this parameter to overwrite or move arbitrary files. An example of a malicious request can be seen in Figure 1.

Triggering the Vulnerability

To trigger the vulnerability:

1. An authenticated user submits a file using the drop-off interface.
2. The chunkName parameter is set to a period (.), forcing the chunk to be placed in the global temporary directory.
3. The attacker sets the tmp_name parameter to include relative paths (e.g., ../../../../../tmp/zendto.log), causing the file move operation to affect unintended parts of the filesystem.

Exploitation

An attacker with valid ZendTo credentials can exploit the vulnerability to:

• Access sensitive log files (e.g., zendto.log) containing claim IDs and email addresses.
• Move or overwrite other users’ uploaded files before they are picked up.
• Trigger denial-of-service by overwriting internal files, such as the SQLite database (/var/zendto/database/zendto.db).

SonicWall Protections

To ensure SonicWall customers are protected from exploitation of this vulnerability, the following signature has been released:

• IPS:21144 – ZendTo File Transfer drop-off path traversal

Remediation Recommendations

• Upgrade ZendTo to version 6.15-8 or later.
• Enforce server-side input validation for file path parameters.
• Limit file system write access for the ZendTo service account to the specific temporary upload directory.
• Monitor logs for unusual use of the drop-off feature or signs of file tampering.
• Isolate ZendTo instances from critical infrastructure through proper network segmentation.

Relevant Links

• Horizon3.ai blog post
• CVE-2025-34508 entry on NVD