CVE-2025-56132
BaseFortify
Publication date: 2025-09-30
Last updated on: 2025-10-15
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liquidfiles | liquidfiles | to 4.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-305 | The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in LiquidFiles filetransfer server allows unauthenticated attackers to perform user enumeration through the password reset functionality. The application responds differently to valid and invalid email addresses, enabling attackers to determine which email addresses are registered users. Although version 4.2 introduces user-based lockout mechanisms to reduce brute-force attacks, user enumeration is still possible by default. Earlier versions rely only on IP-based rate limiting, which can be bypassed by using multiple IP addresses.
How can this vulnerability impact me? :
The vulnerability allows attackers to identify valid user email addresses registered in the system. This information can be used to launch follow-up attacks such as password spraying, increasing the risk of unauthorized access to user accounts and potentially compromising sensitive data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade LiquidFiles filetransfer server to version 4.2 or later, which introduces user-based lockout mechanisms to reduce brute-force attacks. Additionally, monitor and limit password reset requests to prevent abuse, and consider implementing additional protections such as CAPTCHA or multi-factor authentication to reduce the risk of user enumeration and follow-up attacks.