CVE-2025-8356

Published Aug 8, 2025

Last updated 7 months ago

CVSS critical 9.8
Xerox FreeFlow Core

Overview

Description
In Xerox FreeFlow Core version 8.0.4, an attacker can exploit a Path Traversal vulnerability to access unauthorized files on the server. This can lead to Remote Code Execution (RCE), allowing the attacker to run arbitrary commands on the system.
Source
10b61619-3869-496c-8a1e-f291b0e71e3f
NVD status
Modified
Products
freeflow_core

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

10b61619-3869-496c-8a1e-f291b0e71e3f
CWE-22

Social media

Hype score
Not currently trending

  1. #exploit 1⃣ CVE-2025-54309: CrushFTP race condition vulnerability - https://t.co/pHgnXcUEnV 2⃣ CVE-2025-34030: sar2html 'plot' parameter RCE - https://t.co/vuvXIAdsFZ 3⃣ CVE-2025-8355/CVE-2025-8356: XXE Injection/Path Traversal in Xerox FreeFlow Core - https://t.co/J4B

    @ksg93rd

    29 Aug 2025

    63 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Warning: Xerox FreeFlow Core vulnerabilities CVE-2025-8355 and CVE-2025-8356 - Proof of Concept released - Patching Recommended Details: https://t.co/5ndHanUVYm #Patch #Patch #Patch

    @CCBalert

    14 Aug 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 『These vulnerabilities are easily exploitable and enable unauthenticated remote attackers to achieve remote code execution on vulnerable FreeFlow Core instances.』 #Xerox CVE-2025-8355、CVE-2025-8356 From Support Ticket to Zero Day https://t.co/HF8r8eC2tz

    @autumn_good_35

    13 Aug 2025

    138 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Our latest disclosures for CVE-2025-8355 and CVE-2025-8356 - discovering a critical RCE in Xerox FreeFlow Core

    @Horizon3Attack

    13 Aug 2025

    12880 Impressions

    5 Retweets

    61 Likes

    17 Bookmarks

    0 Replies

    0 Quotes

  5. Our latest disclosures for CVE-2025-8355 and CVE-2025-8356 - discovering a critical RCE in Xerox FreeFlow Core https://t.co/GOyasjmYCa https://t.co/0xNsPDozDU

    @Horizon3Attack

    13 Aug 2025

    11462 Impressions

    60 Retweets

    155 Likes

    54 Bookmarks

    1 Reply

    3 Quotes

  6. CVE-2025-8356 (CVSS:9.8, CRITICAL) is Undergoing Analysis. In Xerox FreeFlow Core version 8.0.4, an attacker can exploit a Path Traversal vulnerability to access unauthorized file..https://t.co/gETY6nfOQI #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre

    @cracbot

    13 Aug 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Xerox patches FreeFlow Core 8.0.4 to fix critical XXE and path traversal flaws causing SSRF and remote code execution risks. Vulnerabilities CVE-2025-8355 and CVE-2025-8356 addressed with help from researcher Jimi Sebree. #FreeFlow #RemoteCode #USA https://t.co/mUEIL8a9n2

    @TweetThreatNews

    11 Aug 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Xerox FreeFlow Core v8.0.4 has 2 critical flaws: 🛑 CVE-2025-8355 → SSRF 🛑 CVE-2025-8356 → Path Traversal → RCE 💡 Fix: Update to v8.0.5 now! Paxion Cybersecurity helps organizations stay ahead of threats like these. #CyberSecurity #Xerox #Infosec #RCE #SSRF https:

    @PaxionCyber

    11 Aug 2025

    51 Impressions

    3 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Xerox patches critical SSRF and remote code execution bugs CVE-2025-8355 & CVE-2025-8356 in FreeFlow Core 8.0.4. Upgrade to 8.0.5 to address system compromise risks. #XeroxSecurity #FreeFlowCore #USA https://t.co/k7LlfG5Ibg

    @TweetThreatNews

    11 Aug 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. [CVE-2025-8356: CRITICAL] Critical Path Traversal vulnerability in Xerox FreeFlow Core 8.0.4 allows Remote Code Execution, posing a severe threat to system security. #cybersecurity#cve,CVE-2025-8356,#cybersecurity https://t.co/zuEOtUTy4S https://t.co/RvpN1AEdaq

    @CveFindCom

    8 Aug 2025

    53 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  11. CVE-2025-8356 In Xerox FreeFlow Core version 8.0.4, an attacker can exploit a Path Traversal vulnerability to access unauthorized files on the server. This can lead to Remote Code Ex… https://t.co/c2IGoOPsTn

    @CVEnew

    8 Aug 2025

    271 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. An XML External Entity (XXE) vulnerability allows malicious user to perform Server-Side Request Forgery (SSRF) via crafted XML input containing malicious external entity references. This issue affects Xerox FreeFlow Core versions up to and including 8.0.7.  Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on -  https://www.support.xerox.com/en-us/product/core/downloadsCVE-2026-2252
  2. Improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability in Xerox FreeFlow Core allows unauthorized path traversal leading to RCE. This issue affects Xerox FreeFlow Core versions up to and including 8.0.7. Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on - https://www.support.xerox.com/en-us/product/core/downloads https://www.support.xerox.com/en-us/product/core/downloadsCVE-2026-2251
  3. In Xerox FreeFlow Core version 8.0.4, improper handling of XML input allows injection of external entities. An attacker can craft malicious XML containing references to internal URLs, this results in a Server-Side Request Forgery (SSRF).CVE-2025-8355
  4. Authenticated RCE via Path TraversalCVE-2024-47559
  5. Authenticated RCE via Path TraversalCVE-2024-47558

References

Sources include official advisories and independent security research.