Security researchers have uncovered a serious path traversal vulnerability in ZendTo, a widely used file-sharing platform trusted by universities, government agencies, and healthcare organizations worldwide. The flaw allows attackers to bypass security controls and access sensitive files belonging to other users.
Cybersecurity firm Horizon3.ai disclosed the vulnerability, designated CVE-2025-34508, which affects ZendTo versions 6.15-7 and earlier. The company has urged all users to immediately upgrade to version 6.15-8, which patches the security hole.
ZendTo functions as a secure dropbox service where users can register accounts to upload and share large files with others. However, the newly discovered vulnerability exploits weaknesses in how the application processes file upload requests, creating a pathway for malicious actors to traverse the file system and access unauthorized content.
How the Attack Works
The vulnerability stems from inadequate input validation during the file upload process. When users submit files through ZendTo's "dropoff" feature, the system processes two key variables: chunkName and tmp_name. While chunkName values undergo sanitization to ensure they contain only alphanumeric characters, attackers discovered they could bypass this protection by submitting values with no alphanumeric characters at all.
"What happens if a user-specified chunkName doesn't contain ANY alphanumeric characters? Well, we simply have a chunkPath that points to the root upload directory rather than to a specific file," the Horizon3.ai researchers explained in their disclosure.
The real danger emerges when the system processes the tmp_name variable, which lacks proper sanitization entirely. Attackers can manipulate this field to specify arbitrary file paths, enabling them to access system logs, user databases, or other sensitive information stored on the server.
In their proof-of-concept demonstration, researchers showed how an attacker could retrieve ZendTo's system log file, which contains claim IDs for all user dropoffs. Armed with these identifiers, a malicious actor could then access any user's uploaded content across the entire platform.
In recent years, high-profile attacks on platforms like Progress's MOVEit Transfer, Accellion's File Transfer Appliance, and Fortra's GoAnywhere MFT have demonstrated how vulnerabilities in these systems can serve as entry points for ransomware groups and data thieves.
"File transfer applications have become common targets for malicious actors, such as ransomware groups," the researchers noted, highlighting the strategic value these platforms hold for attackers seeking to access organizational data.
Organizations using ZendTo should prioritize updating to version 6.15-8 immediately. System administrators should also review access logs for suspicious file access patterns and consider implementing additional monitoring for unusual drop-off activities.